Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-02-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Odd ICMP Echo Request Payload

Published: 2014-02-04
Last Updated: 2014-02-05 01:46:38 UTC
by Johannes Ullrich (Version: 3)
1 comment(s)

Update^2:

We now got confirmation that these packets are related to NVidia driver updates. One reader send us a complete capture, and also see the comments to this story below.

Here is a summary of the complete packet capture:

1 - DNS lookup for gfe.nvidia.com (returns 8.36.113.132)
2 - DNS lookup for download.gfe.nvidia.com (returns 8.36.113.133)
3 - HTTP GET for download.gfe.nvidia.com/packages/DAO/production/1234567/0.dat   (I obfuscated the full URL)

0.dat is a signed Windows executable

After it finished, the update software will send the three pings that were observed. One reader also submitted a comment to this post (see below) pointing out that the ICMP payload string can be found in the NVidia updater binary.

Thanks all for your help solving this!!

 

Update:

Our reader Jim sent in an interesting comment. Apparently, this traffic may be related to NVidia in some way. Many of the destination addresses are related to NVidia. In our example below, only one IP fits that description: 83.150.122.97 - Nvidia Helsinki DSL . But other IP addresses reported also point to NVidia.

There is also a discussion at https://forums.geforce.com/default/topic/534267/covert-channel-exploit-in-icmp-packet about packets that may match this event.

---------

Thanks to Donald for sending us a couple of interesting ICMP echo requests. They are coming from a machine that is having "issues" (problems staying live on the network, credentialed nessus scans are unable to connect). 

The ICMP echo requests being sent from the host contain the payload "PING DATA!" , nothing else of interest in the packets. They go out to various hosts. (see below for details).

Has anybody seen these before? They seems "familiar", but I can't point to the exact tool right now...

 xxx.xxx.xx.xx > 83.150.122.97: icmp: echo request
0x0000   4500 003c 211d 0000 fe01 b5bf xxxx xxxx        E..<!.........Wb
0x0010   5396 7a61 0800 b6b3 0001 0001 5049 4e47        S.za........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 90.83.94.114: icmp: echo request
0x0000   4500 003c 3508 0000 fe01 b706 xxxx xxxx        E..<5.........Wb
0x0010   5a53 5e72 0800 b6b2 0001 0002 5049 4e47        ZS^r........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 101.78.148.14: icmp: echo request
0x0000   4500 003c 356a 0000 fe01 760d xxxx xxxx        E..<5j....v...Wb
0x0010   654e 940e 0800 b6b1 0001 0003 5049 4e47        eN..........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

1 comment(s)

Adobe Flash Player Emergency Patch

Published: 2014-02-04
Last Updated: 2014-02-04 19:29:24 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

Adobe today released an emergency patch for a vulnerability that is currently actively exploited. The patch addresses CVE-2014-0497. [1]

The address affects all Windows, OS X and Linux. for Windows/OS X, the current version is now 12.0.0.44 and for Linux 11.2.202.336. Google Chrome users need to update Google Chrome to fix the included version of Flash as do users of Internet Explorer 10 and 11. [2]

[1] http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
[2] http://technet.microsoft.com/en-us/security/advisory/2755801

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: adobe patch
1 comment(s)

Do you block "new" domain names?

Published: 2014-02-04
Last Updated: 2014-02-04 12:41:39 UTC
by Johannes Ullrich (Version: 1)
14 comment(s)

This is more a quick question then a full post: Many attacks use recently registered domain names. Do you block newly registered domain names (lets say for the first week)? What system do you use to do so? I am thinking about setting up a simple API to return a "days registered" for a domain name, but first want to see what else is out there.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: DNS
14 comment(s)
ISC StormCast for Tuesday, February 4th 2014 http://isc.sans.edu/podcastdetail.html?id=3821
Diary Archives