Odd ICMP Echo Request Payload
Update^2:
We now got confirmation that these packets are related to NVidia driver updates. One reader send us a complete capture, and also see the comments to this story below.
Here is a summary of the complete packet capture:
1 - DNS lookup for gfe.nvidia.com (returns 8.36.113.132)
2 - DNS lookup for download.gfe.nvidia.com (returns 8.36.113.133)
3 - HTTP GET for download.gfe.nvidia.com/packages/DAO/production/1234567/0.dat (I obfuscated the full URL)
0.dat is a signed Windows executable
After it finished, the update software will send the three pings that were observed. One reader also submitted a comment to this post (see below) pointing out that the ICMP payload string can be found in the NVidia updater binary.
Thanks all for your help solving this!!
Update:
Our reader Jim sent in an interesting comment. Apparently, this traffic may be related to NVidia in some way. Many of the destination addresses are related to NVidia. In our example below, only one IP fits that description: 83.150.122.97 - Nvidia Helsinki DSL . But other IP addresses reported also point to NVidia.
There is also a discussion at https://forums.geforce.com/default/topic/534267/covert-channel-exploit-in-icmp-packet about packets that may match this event.
---------
Thanks to Donald for sending us a couple of interesting ICMP echo requests. They are coming from a machine that is having "issues" (problems staying live on the network, credentialed nessus scans are unable to connect).
The ICMP echo requests being sent from the host contain the payload "PING DATA!" , nothing else of interest in the packets. They go out to various hosts. (see below for details).
Has anybody seen these before? They seems "familiar", but I can't point to the exact tool right now...
xxx.xxx.xx.xx > 83.150.122.97: icmp: echo request
0x0000 4500 003c 211d 0000 fe01 b5bf xxxx xxxx E..<!.........Wb
0x0010 5396 7a61 0800 b6b3 0001 0001 5049 4e47 S.za........PING
0x0020 2044 4154 4121 0000 0000 0000 0000 0000 .DATA!..........
0x0030 0000 0000 0000 0000 0000 0000 ............
xxx.xxx.xx.xx > 90.83.94.114: icmp: echo request
0x0000 4500 003c 3508 0000 fe01 b706 xxxx xxxx E..<5.........Wb
0x0010 5a53 5e72 0800 b6b2 0001 0002 5049 4e47 ZS^r........PING
0x0020 2044 4154 4121 0000 0000 0000 0000 0000 .DATA!..........
0x0030 0000 0000 0000 0000 0000 0000 ............
xxx.xxx.xx.xx > 101.78.148.14: icmp: echo request
0x0000 4500 003c 356a 0000 fe01 760d xxxx xxxx E..<5j....v...Wb
0x0010 654e 940e 0800 b6b1 0001 0003 5049 4e47 eN..........PING
0x0020 2044 4154 4121 0000 0000 0000 0000 0000 .DATA!..........
0x0030 0000 0000 0000 0000 0000 0000 ............
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Adobe Flash Player Emergency Patch
Adobe today released an emergency patch for a vulnerability that is currently actively exploited. The patch addresses CVE-2014-0497. [1]
The address affects all Windows, OS X and Linux. for Windows/OS X, the current version is now 12.0.0.44 and for Linux 11.2.202.336. Google Chrome users need to update Google Chrome to fix the included version of Flash as do users of Internet Explorer 10 and 11. [2]
[1] http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
[2] http://technet.microsoft.com/en-us/security/advisory/2755801
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Do you block "new" domain names?
This is more a quick question then a full post: Many attacks use recently registered domain names. Do you block newly registered domain names (lets say for the first week)? What system do you use to do so? I am thinking about setting up a simple API to return a "days registered" for a domain name, but first want to see what else is out there.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments