Jump to content

About Those Removed IDS Protections In Ver. 14.1.19

Recommended Posts

Specifically this packet inspection mitigation:


Covert data in ICMP protocol detection – Checks to see if the ICMP protocol is used for data transfer. Many malicious techniques use the ICMP protocol to bypass the firewall.

Of note:


Today, researchers have disclosed their findings on a novel Windows malware sample that uses Internet Control Message Protocol (ICMP) for its command-and-control (C2) activities.

Dubbed "Pingback," this malware targets Microsoft Windows 64-bit systems, and uses DLL Hijacking to gain persistence.

Uses ICMP tunneling for covert communication

The oci.dll malware once launched by msdtc, uses ICMP for stealthily receiving commands from its C2 server.

Trustwave researchers who named this malware "Pingback," state that the advantage of using ICMP for communications is that Pingback remains effectively hidden from a user.

That's because ICMP has no concept of "ports" and uses neither TCP nor UDP. As such, oci.dll may not be picked up by diagnostic tools like netstat.

Every ICMP packet, however, does contain a "data" field with enough space to sneak in custom data within the field and to transmit it back and forth between two systems:

icmp packet



Yes, Eset detects oci.dll by signature. But what about the next 0-day malware to use the technique which is far from new?


Edited by itman
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...