Author Topic: New trojan sends data home through ICMP  (Read 2032 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33590
  • malware fighter
New trojan sends data home through ICMP
« on: August 10, 2006, 04:25:54 PM »
Hi malware fighters,

Most trojans send stolen data through a HTTP POST of GET. This is relatively easy to detect by a gateway or proxy server. Websense recently discovered a new trojan, that sends home stolen data through  ICMP. These kind of packets are  more difficult to be detected by  filters and gateways alike, because these  kind of data can be legit as well, and the data are "encrypted" (via a simple XOR mechanism) and sent in the ICMP data section.
A work-around is to not allow ICMP from the intranet to Internet. A snort signature for this trojan  has arrived as well.

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!