A Trojan has been discovered that attempts to evade detection by sending stolen data back to its creators using the ICMP (Internet Control Message Protocol) back channel. Detected by Websense, the Trojan is a conventional data-stealer up to the point it communicates back to its host.
Once a PC has become infected, the Trojan installs itself as an Internet Explorer BHO (browser helper object), and then waits quietly for the user to access one or more target online-banking websites. If a target site is accessed, it logs the field keystrokes, inserting them into the data part of ICMP ping packets after performing a simple XOR encryption routine on them.
Websense claims the effect is to make the data stream very hard to detect because ICMP is the last place one would normally look to find pilfered data. ICMP packets are normally used to send feelers out to internet hosts, for example by utilities such as Traceroute or Ping, and are a routine occurrence.
Data and password-stealing Trojans more commonly use conventional channels such as email or HTTP mail to send information out of a network or PC, but this is something that can be blocked.
Websense reports that the Trojan works, after testing it out while entering data on the SSL-based website of Deutsche bank using an infected PC. The Websense website offers an eerie screen grab of the results of this, before and after encoding by the BHO.
Despite being an old criminal pastime, the steady evolution of malware to automate phishing continues. Password stealers still plague internet users, using every technique going, while others come as a consequence of rapidly-expanding botnet networks.
From being a high-profile crime that depended on social engineering of the gullible, phishing has retreated into a world of automated botnets, and exploits based on subterfuge and stealth. Anyone suffering at the bleeding edge of an ICMP Trojan would never be aware anything was amiss until their bank account suddenly emptied one day.