Bigbruin.com
Home :: Reviews & Articles :: Forum :: Info :: :: Facebook :: Youtube :: RSS Feed
Search  :: Register :: Log in
It's time for the tin-foil hats
Post new topic   Reply to topic    Bigbruin.com Forum Index -> Software
View previous topic :: View next topic  
Author Message
BeerCheeze
*hick*


Joined: 14 Jun 2003
Posts: 9285
Location: At the Bar
PostPosted: Wed, 09 Aug 2006 16:49:23    Post Subject: It's time for the tin-foil hats Reply with quote View Single Post
I hate computers....

Quote:
Websense® Security Labs™ has received a sample of a new phishing Trojan that delivers stolen information back to the attacker via ICMP packets. Upon infection of a victim's computer, the Trojan will install itself as an Internet Explorer Browser Helper Object (BHO). The BHO then waits for the user to post personal information to a monitored website. As this information is entered by the user, it is captured by the BHO and sent back to the attacker.

The method of network transport used by the attacker makes this Trojan unique. Typically, keyloggers of this type will send the stolen information back to the attacker via email or HTTP POST, which can appear suspicious. Instead, this Trojan encodes the data with a simple XOR algorithm before placing it into the data section of an ICMP ping packet.

To network administrators and egress filters, this ICMP packet looks like legitimate traffic leaving the network. However, the ICMP packet actually contains encoded personal information entered by a user. The attackers presumably capture this packet at their remote server, where the packet is easily decoded to reveal the information entered by the user.

In our example, we infected a workstation and entered account information into the SSL website of Deutsche Bank. The Trojan BHO captured the information and sent a ping to a malicious remote server. Below you can view the encoded contents of the ICMP data section as well as the actual contents after they were manually decoded.

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570
Back to top
View user's profile Send private message
Little Bruin
Boo Boo

Joined: 07 Apr 2003
Posts: 667
Location: Pic-A-Nic Basket
Kilamon
Rated XXX


Joined: 22 Mar 2005
Posts: 811
PostPosted: Wed, 09 Aug 2006 17:51:39    Post Subject: Reply with quote View Single Post
It was only a matter of time before someone figured out that you could put anything in the payload of a ping. All you'd need to find the traffic after it's in the wild would be a network sniffer tuned to listen for pings to the destination IP. Brilliant in it's simplicity.
Back to top
View user's profile Send private message
knight0334
Rated XXX


Joined: 22 Aug 2003
Posts: 2234
Location: Neither Here, Nor There
PostPosted: Thu, 10 Aug 2006 07:22:08    Post Subject: Reply with quote View Single Post
Like I said before, if they'd just start executing the people they catch for stuff like that sooner or later we'll run out of hackers, scriptkiddies, and code junkies.
Back to top
View user's profile Send private message
LaTech
Ruthless TechTator


Joined: 15 Mar 2005
Posts: 532
Location: Missoula, MT
PostPosted: Thu, 10 Aug 2006 16:09:24    Post Subject: Reply with quote View Single Post
lol...I read that as "via ICBM packets" and was like "damn...that's hardcore!"

Need sleep...
_________________
" I reject your reality and substitute my own!" - Adam Savage - Mythbusters
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Bigbruin.com Forum Index -> Software All times are GMT - 4 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
Contact Us :: On Facebook :: On Youtube :: Newsletter :: RSS Feed :: FAQ :: Links :: Sponsors :: Privacy Policy
Copyright © 2000 - 2023 Bigbruin.com - All rights reserved