Odd ICMP Echo Request Payload
Update^2:
We now got confirmation that these packets are related to NVidia driver updates. One reader send us a complete capture, and also see the comments to this story below.
Here is a summary of the complete packet capture:
1 - DNS lookup for gfe.nvidia.com (returns 8.36.113.132)
2 - DNS lookup for download.gfe.nvidia.com (returns 8.36.113.133)
3 - HTTP GET for download.gfe.nvidia.com/packages/DAO/production/1234567/0.dat (I obfuscated the full URL)
0.dat is a signed Windows executable
After it finished, the update software will send the three pings that were observed. One reader also submitted a comment to this post (see below) pointing out that the ICMP payload string can be found in the NVidia updater binary.
Thanks all for your help solving this!!
Update:
Our reader Jim sent in an interesting comment. Apparently, this traffic may be related to NVidia in some way. Many of the destination addresses are related to NVidia. In our example below, only one IP fits that description: 83.150.122.97 - Nvidia Helsinki DSL . But other IP addresses reported also point to NVidia.
There is also a discussion at https://forums.geforce.com/default/topic/534267/covert-channel-exploit-in-icmp-packet about packets that may match this event.
---------
Thanks to Donald for sending us a couple of interesting ICMP echo requests. They are coming from a machine that is having "issues" (problems staying live on the network, credentialed nessus scans are unable to connect).
The ICMP echo requests being sent from the host contain the payload "PING DATA!" , nothing else of interest in the packets. They go out to various hosts. (see below for details).
Has anybody seen these before? They seems "familiar", but I can't point to the exact tool right now...
xxx.xxx.xx.xx > 83.150.122.97: icmp: echo request
0x0000 4500 003c 211d 0000 fe01 b5bf xxxx xxxx E..<!.........Wb
0x0010 5396 7a61 0800 b6b3 0001 0001 5049 4e47 S.za........PING
0x0020 2044 4154 4121 0000 0000 0000 0000 0000 .DATA!..........
0x0030 0000 0000 0000 0000 0000 0000 ............
xxx.xxx.xx.xx > 90.83.94.114: icmp: echo request
0x0000 4500 003c 3508 0000 fe01 b706 xxxx xxxx E..<5.........Wb
0x0010 5a53 5e72 0800 b6b2 0001 0002 5049 4e47 ZS^r........PING
0x0020 2044 4154 4121 0000 0000 0000 0000 0000 .DATA!..........
0x0030 0000 0000 0000 0000 0000 0000 ............
xxx.xxx.xx.xx > 101.78.148.14: icmp: echo request
0x0000 4500 003c 356a 0000 fe01 760d xxxx xxxx E..<5j....v...Wb
0x0010 654e 940e 0800 b6b1 0001 0003 5049 4e47 eN..........PING
0x0020 2044 4154 4121 0000 0000 0000 0000 0000 .DATA!..........
0x0030 0000 0000 0000 0000 0000 0000 ............
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
C:\Program Files (x86)\NVIDIA Corporation\NetService>strings NvNetworkService.exe | find /n /i "PING DATA"
[14246]PING DATA!
I can "force it" by launching the nvidia update program.
Anonymous
Feb 5th 2014
1 decade ago