New Trojan (BHO) disguises malicious traffic

ITNews.com.au ^ | 9 August 2006 | Gregg Keizer

[holymoly]

Websense raises the alarm about a phishing Trojan that uses a new technique to cloak its activity.

The Web security company said that the Trojan, which installs itself as an Internet Explorer helper object, waits for the user to enter information in specific Web site forms -- particularly online banking sites -- then zaps the stolen data back to the attacker.

What's unique about the new Trojan, said Websense, is that it delivers that data via ICMP packets. Keylogging Trojans usually transmit purloined usernames and passwords via e-mail or a HTTP POST command. Both can be easily spotted.

"Instead, this Trojan encodes the data with a simple XOR algorithm before placing it into the data section of an ICMP ping packet," Websense's warning read. "To network administrators and filtering software, the ICMP packet looks like legitimate traffic."

Websense confirmed the new technique's effectiveness by infecting a system with the Trojan, then entering account information into the SSL-protected Deutsche Bank Web site. As expected, the Trojan captured the information and sent an ICMP ping to a malicious remote server.

[holymoly]

the Trojan...installs itself as an Internet Explorer helper object

And can most likely be avoided by using an alternative browser:

Opera
Mozilla

Also, WinPatrol, and, I believe, Spybot - Search & Destroys' Teatimer, both offer protection against installation of unwanted BHOs.

[ShadowAce]

[Echo Talon]

Websense confirmed the new technique's effectiveness by infecting a system with the Trojan, then entering account information into the SSL-protected Deutsche Bank Web site. As expected, the Trojan captured the information and sent an ICMP ping to a malicious remote server.

why would they disclose this? this should have been given to the FBI or CIA, they could have tracked it down and busted the person behind it...

[N3WBI3]

And in the mean time admins would be exposed when all they have to o it block outgoing ICMP packets from their LAN! Why would you have people exposed to identity theft?

[unixfox]

If it's pinging a server they should be able to do a traceroute on it and find out where it is.

I'd love to catch one of these guys, just once.

[zeugma]

A lot of orginizations already restrict ICMP traffic to particular hosts. Ours does, and it makes it really difficult to troubleshoot some problems.

[GOPJ]

I've got WinPatrol -- it's a Godsend...

[AFreeBird]

why would they disclose this? this should have been given to the FBI or CIA, they could have tracked it down and busted the person behind it...

Well, that's the Micro$oft way. Keep it secret until you have a fix; meanwhile unsuspecting users are merrily surfin away entering personal data that may or may not be compromised.

Yes, they could, and probably will track down the black hat, but at least the word is out and people can take measures to protect themselves.

[Bloody Sam Roberts]

I've got WinPatrol -- it's a Godsend...

I'll try it. I may replace my TeaTimer with WinPatrol.

[EdReform]

bookmarking

[N3WBI3]

Zeg,

As does mine but many do not and would not think to... A warning that says *ICMP Virus* might wake up their admins and protect their users..

Not having ICMP for diag's stinks, but having hackers not have ICMP for diags rules..

[Echo Talon]

yea, well they give you now clue as how to remove it or how to tell it you even have it... it should have been kept a secret until they caught him red-handed..

[AFreeBird]

Well, if it's using the system "ping" command to transmit, then you could - if you were aware - take steps to lock it down.