[Full-disclosure] Re: ICMP DestinationUnreachable Port Unreachable
BFetch at texpac.com
Wed Aug 16 22:40:39 BST 2006
Isn't there a new Trojan that's using ICMP to send back it's pilfered
data? It's encrypted (if I remember correctly) so no clear-text reading
of what's sent and that may explain why you're seeing the random data.
The padding of the same characters in individual packets may designate
start/stop points in the transmission segments.
Just my $.02...
From: full-disclosure-bounces at lists.grok.org.uk
[mailto:full-disclosure-bounces at lists.grok.org.uk] On Behalf Of Adriel
Sent: Wednesday, August 16, 2006 10:30 AM
To: Adriel T. Desautels
Cc: full-disclosure at lists.grok.org.uk; Valdis.Kletnieks at vt.edu
Subject: Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port
I failed to mention that they came in bursts of 3 every 5 minutes on
Adriel T. Desautels wrote:
> After over 100,000 alerts each with very different payloads the
> traffic stopped. I do have a list of all of the dropped packets from
> firewall as well and it appears that it was hitting 3 IP addresses
> are public facing, not just one. The weird part, is that two of those
> three aren't even live. So I think that this may have been noise from
> different attack...
> I'd be very interested in decoding the payloads for some of these.
> Anyone here have any tools to do such a decode? I'd rather not do it
> manual if at all possible.
> Valdis.Kletnieks at vt.edu wrote:
>> On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said:
>>> Although the port 0 in this case is a red herring and irrelevant.
>>> itself when used with TCP/UDP (not ICMP!) can actually be used on
>>> Internet. A while back I modified netcat and my linux kernel so that
>>> allow usage of port 0 and was able to connect to a remote machine
>>> with that port and communicate fine.
>> Of course, the poor security geek who see a TCP SYN from port 0 to
>> and then a SYN+ACK reply back, will be going WTF??!? for the rest of
the day. :)
>> (Another good one to induce head-scratching is anything that does
>> RFC1644-style T/TCP. Anytime you see a packet go by in one direction
>> SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;)
>> data on it... ;)
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
Adriel T. Desautels
SNOsoft Research Team
Office: 617-924-4510 || Mobile : 857-636-8882
Vulnerability Research and Exploit Development
BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information.
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.
Full-Disclosure is hosted and sponsored by Secunia.