A new Trojan with phishing capabilities has caught our attention recently. Like any other malware that phish for user information, this Trojan installs itself as a Browser Helper Object (BHO) for Internet Explorer and captures the data entered by the user.
But what makes this particular Trojan different from the others is the way that it sends its captured data to the attackers. Usually, a phishing Trojan would make use of email or HTTP POST to send the data but this particular malware however, encodes the captured data in ICMP packets.
ICMP (Internet Control Message Protocol) packets are often used for network diagnostic tasks, such as pinging a server to verify whether it is up or not. By using ICMP to send data, this Trojan ensures that the traffic that it generates does not alert network administrators who monitor for suspicious traffic. ICMP traffic looks fairly normal even if it does contain encoded data. This covert technique of transmitting data was mentioned in the Loki Project, which is a white paper describing information tunneling techniques through the use of ICMP.
This Trojan is being detected by Trend as TSPY_SMALL.CBE. Its detection pattern is available in CPR 3.642.07
Update(Ivan, Wed, 09 Aug 2006 02:46:04 PM)Some updates from Joey…
The encryption uses an XOR operation, with accompanying SHL, OR, ADD, operations.
The ICMP data is sent to 220.127.116.11, which is somewhere in Germany. This IP address is hard-coded in the malware code.
Update(Joey, Wed, 09 Aug 2006 08:53:07 PM)
This is not actually an update, but a bit of trivia. This malware is an in-the-wild sample using a covert communications channel. In the case of this malware, it uses ICMP echo packets(these are the packets you send when using the “ping” program) to hide transmitted data.
ICMP packets packets are usually allowed to pass through most firewalls, and is largely considered as “safe” network traffic; hence, using ICMP increases the chances of the data to reach the intended destination.
As far as I know, the first tool to document a covert communications channel using ICMP is Loki, an article released way back in 1996. Loki “smuggles” the data into the data portion of the ICMP packets. This is the same technique that is used by TSPY_SMALL.CBE.