Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Odd ICMP Echo Request Payload InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Odd ICMP Echo Request Payload

Published: 2014-02-04
Last Updated: 2014-02-05 01:46:38 UTC
by Johannes Ullrich (Version: 3)
1 comment(s)

Update^2:

We now got confirmation that these packets are related to NVidia driver updates. One reader send us a complete capture, and also see the comments to this story below.

Here is a summary of the complete packet capture:

1 - DNS lookup for gfe.nvidia.com (returns 8.36.113.132)
2 - DNS lookup for download.gfe.nvidia.com (returns 8.36.113.133)
3 - HTTP GET for download.gfe.nvidia.com/packages/DAO/production/1234567/0.dat   (I obfuscated the full URL)

0.dat is a signed Windows executable

After it finished, the update software will send the three pings that were observed. One reader also submitted a comment to this post (see below) pointing out that the ICMP payload string can be found in the NVidia updater binary.

Thanks all for your help solving this!!

 

Update:

Our reader Jim sent in an interesting comment. Apparently, this traffic may be related to NVidia in some way. Many of the destination addresses are related to NVidia. In our example below, only one IP fits that description: 83.150.122.97 - Nvidia Helsinki DSL . But other IP addresses reported also point to NVidia.

There is also a discussion at https://forums.geforce.com/default/topic/534267/covert-channel-exploit-in-icmp-packet about packets that may match this event.

---------

Thanks to Donald for sending us a couple of interesting ICMP echo requests. They are coming from a machine that is having "issues" (problems staying live on the network, credentialed nessus scans are unable to connect). 

The ICMP echo requests being sent from the host contain the payload "PING DATA!" , nothing else of interest in the packets. They go out to various hosts. (see below for details).

Has anybody seen these before? They seems "familiar", but I can't point to the exact tool right now...

 xxx.xxx.xx.xx > 83.150.122.97: icmp: echo request
0x0000   4500 003c 211d 0000 fe01 b5bf xxxx xxxx        E..<!.........Wb
0x0010   5396 7a61 0800 b6b3 0001 0001 5049 4e47        S.za........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 90.83.94.114: icmp: echo request
0x0000   4500 003c 3508 0000 fe01 b706 xxxx xxxx        E..<5.........Wb
0x0010   5a53 5e72 0800 b6b2 0001 0002 5049 4e47        ZS^r........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

 xxx.xxx.xx.xx > 101.78.148.14: icmp: echo request
0x0000   4500 003c 356a 0000 fe01 760d xxxx xxxx        E..<5j....v...Wb
0x0010   654e 940e 0800 b6b1 0001 0003 5049 4e47        eN..........PING
0x0020   2044 4154 4121 0000 0000 0000 0000 0000        .DATA!..........
0x0030   0000 0000 0000 0000 0000 0000                  ............

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

1 comment(s)
Diary Archives