Jump to content

About Those Removed IDS Protections In Ver. 14.1.19


Recommended Posts

Specifically this packet inspection mitigation:

Quote

Covert data in ICMP protocol detection – Checks to see if the ICMP protocol is used for data transfer. Many malicious techniques use the ICMP protocol to bypass the firewall.

Of note:

Quote

Today, researchers have disclosed their findings on a novel Windows malware sample that uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities.

Dubbed "Pingback," this malware targets Microsoft Windows 64-bit systems, and uses DLL Hijacking to gain persistence.

Uses ICMP tunneling for covert communication

The oci.dll malware once launched by msdtc, uses ICMP for stealthily receiving commands from its C2 server.

Trustwave researchers who named this malware "Pingback," state that the advantage of using ICMP for communications is that Pingback remains effectively hidden from a user.

That's because ICMP has no concept of "ports" and uses neither TCP nor UDP. As such, oci.dll may not be picked up by diagnostic tools like netstat.

Every ICMP packet, however, does contain a "data" field with enough space to sneak in custom data within the field and to transmit it back and forth between two systems:

icmp packet

 

https://www.bleepingcomputer.com/news/security/new-windows-pingback-malware-uses-icmp-for-covert-communication/

Yes, Eset detects oci.dll by signature. But what about the next 0-day malware to use the technique which is far from new?

 

Edited by itman
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...