A new Trojan with phishing capabilities has caught our attention recently. Like any other malware that phish for user information, this Trojan installs itself as a Browser Helper Object (BHO) for Internet Explorer and captures the data entered by the user.

But what makes this particular Trojan different from the others is the way that it sends its captured data to the attackers. Usually, a phishing Trojan would make use of email or HTTP POST to send the data but this particular malware however, encodes the captured data in ICMP packets.

ICMP (Internet Control Message Protocol) packets are often used for network diagnostic tasks, such as pinging a server to verify whether it is up or not. By using ICMP to send data, this Trojan ensures that the traffic that it generates does not alert network administrators who monitor for suspicious traffic. ICMP traffic looks fairly normal even if it does contain encoded data. This covert technique of transmitting data was mentioned in the Loki Project, which is a white paper describing information tunneling techniques through the use of ICMP.

This Trojan is being detected by Trend as TSPY_SMALL.CBE. Its detection pattern is available in CPR 3.642.07

Update(Ivan, Wed, 09 Aug 2006 02:46:04 PM)

The encryption uses an XOR operation, with accompanying SHL, OR, ADD, operations.

The ICMP data is sent to 217.172.47.218, which is somewhere in Germany. This IP address is hard-coded in the malware code.

Update(Joey, Wed, 09 Aug 2006 08:53:07 PM)

This is not actually an update, but a bit of trivia. This malware is an in-the-wild sample using a covert communications channel. In the case of this malware, it uses ICMP echo packets(these are the packets you send when using the “ping” program) to hide transmitted data.

ICMP packets packets are usually allowed to pass through most firewalls, and is largely considered as “safe” network traffic; hence, using ICMP increases the chances of the data to reach the intended destination.

As far as I know, the first tool to document a covert communications channel using ICMP is Loki, an article released way back in 1996. Loki “smuggles” the data into the data portion of the ICMP packets. This is the same technique that is used by TSPY_SMALL.CBE.

Microsoft has just released its monthly security update for the month of August to address the following vulnerabilities.

Critical

• MS06-040 Vulnerability in Server Service Could Allow Remote Code Execution (921883)
  
• MS06-041 Vulnerability in DNS Resolution Could Allow Remote Code Execution (920683)
  
• MS06-042 Cumulative Security Update for Internet Explorer (918899)
  
• MS06-043 Vulnerability in Microsoft Windows Could Allow Remote Code Execution (920214)
  
• MS06-044 Vulnerability in Microsoft Management Console Could Allow Remote Code Execution (917008)
  
• MS06-046 Vulnerability in HTML Help Could Allow Remote Code Execution (922616)
  
• MS06-047 Vulnerability in Microsoft Visual Basic for Applications Could Allow Remote Code Execution (921645)
  
• MS06-048 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (922968)
  
• MS06-051 Vulnerability in Windows Kernel Could Result in Remote Code Execution (917422)

Important

• MS06-045 Vulnerability in Windows Explorer Could Allow Remote Code Execution (921398)
  
• MS06-049 Vulnerability in Windows Kernel Could Result in Elevation of Privilege (920958)
  
• MS06-050 Vulnerabilities in Microsoft Windows Hyperlink Object Library Could Allow Remote Code Execution (920670)

Please visit Windows Update to obtain the patches.