A Trojan has been discovered that attempts to evade detection by sending stolen data back to its criminal creators using the ICMP (Internet Control Message Protocol) back channel.
Detected by security company Websense, the unnamed Trojan is a relatively conventional data-stealer up to the point it communicates back to its host.
Once a PC has become infected, the Trojan installs itself as an Internet Explorer browser helper object (BHO), and then waits quietly for the user to access one or more target online banking Web sites.
If a target site is accessed, it logs the field keystrokes, inserting them into the data part of ICMP ping packets after performing a simple XOR encryption routine on them.
The effect is, Websense claims with some justification, to make the data stream very hard to detect because ICMP is the last place one would normally look to find pilfered data. ICMP packets are normally used to send feelers out to Internet hosts, for example by utilities such as Traceroute or Ping, and are a routine occurrence.
Data and password-stealing Trojans more commonly use conventional channels such as e-mail or HTTP mail to send information out of a network or PC, but this is something that can be blocked.
Websense reports that the Trojan works, after testing it out while entering data on the SSL-based Web site of Deutsche bank using an infected PC. The Websense Web site offers an eerie screen grab of the results of this, before and after encoding by the BHO.
Despite being an old criminal pastime, the steady evolution of malware to automate phishing continues. Password stealers still plague Internet users, using every technique going, while others come as a consequence of rapidly-expanding botnet networks.
From being a high-profile crime that depended on social engineering of the gullible, phishing has retreated into a world of automated botnets, and exploits based on subterfuge and stealth. Anyone suffering at the bleeding edge of an ICMP Trojan would never be aware anything was amiss until their bank account suddenly emptied one day.
This story, "Trojan data-stealer hijacks ICMP traffic" was originally published by Techworld.com.