itman 1,594 Posted May 4, 2021 Share Posted May 4, 2021 (edited) Specifically this packet inspection mitigation: Quote Covert data in ICMP protocol detection – Checks to see if the ICMP protocol is used for data transfer. Many malicious techniques use the ICMP protocol to bypass the firewall. Of note: Quote Today, researchers have disclosed their findings on a novel Windows malware sample that uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities. Dubbed "Pingback," this malware targets Microsoft Windows 64-bit systems, and uses DLL Hijacking to gain persistence. Uses ICMP tunneling for covert communication The oci.dll malware once launched by msdtc, uses ICMP for stealthily receiving commands from its C2 server. Trustwave researchers who named this malware "Pingback," state that the advantage of using ICMP for communications is that Pingback remains effectively hidden from a user. That's because ICMP has no concept of "ports" and uses neither TCP nor UDP. As such, oci.dll may not be picked up by diagnostic tools like netstat. Every ICMP packet, however, does contain a "data" field with enough space to sneak in custom data within the field and to transmit it back and forth between two systems: https://www.bleepingcomputer.com/news/security/new-windows-pingback-malware-uses-icmp-for-covert-communication/ Yes, Eset detects oci.dll by signature. But what about the next 0-day malware to use the technique which is far from new? Edited May 4, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts