New Pingback Malware Using ICMP Tunneling to Evade C&C Detection


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Researchers on Tuesday disclosed a novel malware that uses a variety of tricks to stay under the radar and evade detection, while stealthily capable of executing arbitrary commands on infected systems.

Called 'Pingback,' the Windows malware leverages Internet Control Message Protocol (ICMP) tunneling for covert bot communications, allowing the adversary to utilize ICMP packets to piggyback attack code, according to an analysis published today by Trustwave.

Pingback ("oci.dll") achieves this by getting loaded through a legitimate service called MSDTC (Microsoft Distributed Transaction Coordinator) — a component responsible for handling database operations that are distributed over multiple machines — by taking advantage of a method called DLL search order hijacking, which involves using a genuine application to preload a malicious DLL file. [...]
"ICMP tunneling is not new, but this particular sample piqued our interest as a real-world example of malware using this technique to evade detection," the researchers said. "ICMP is useful for diagnostics and performance of IP connections, [but] it can also be misused by malicious actors to scan and map a target's network environment. While we are not suggesting that ICMP should be disabled, we do suggest putting in place monitoring to help detect such covert communications over ICMP."