Malware uses ICMP tunnel for backdoor communication

According to researchers at Trustwave, a threat group is a rarely used method to exploit legitimate Windows services, detect and install malware.

Dubbing Pingback, researchers report that malware gains persistence through a DLL hijacker, then establishes a backdoor connection using ICMP (Internet Control Message Protocol) to establish a backdoor.

Neither strategy is new, but Trustwave warns InfoSec professionals to monitor ICPM to help detect clandestine communications.

The report states, "ICMP is useful for diagnostics and the performance of IP connections in the real world, so it should not be disabled." But the communication that uses it has to be seen.

A TrustWave spokesperson told ITWorldCanada that several tools are available to monitor their network activity.

"It can be as simple as installing a perimeter firewall to log and alert on ICMP activity, or to use the built-in capabilities of your network router to track traffic with Netflow," he said.

Network intrusion detection software can also be used to monitor specific malicious activity.

The attack starts with a DLL (Dynamic Link Library) hijacking. This involves using a valid application to preload a malicious DLL file. Attackers typically misuse the Windows DLL search order and take advantage of it to report a valid DLL file to be loaded instead of a valid one.

Typically, DLL files are loaded via rundll32.exe via the Windows service. In the case of pingback, a malicious DLL file named oci.dll (pingback) was somehow indirectly loaded via a valid service called msdtc (Microsoft Distributed Transaction Coordinator). The service coordinates transactions spanning multiple machines, such as databases, message queues, and file systems.

The file oci.dll is the name of a valid Oracle DLL file. Researchers control an attacker with system privileges that can drop this malicious DLL and this can be saved by using a library loaded Windows DLL to support the Oracle database.

Graphic from Trustwave Report

This graphic from Trustwave shows how a malicious DLL will appear. Source: Trustwave

The MSDTC service, by default, does not run during start-up, the researchers noted. To remain persistent, the service needs to be configured to start automatically, so the attacker will need system privileges to reconfigure the msdtc startup type. This can be done manually using SC commands, through malicious scripts, or through a malware installer.

"Our theory is that a different executable installed this malware," the researchers write.

After a bit of hunting, they found an agreement with a similar sample in VirusTotal, which installs oci.dll in the Windows system directory and then sets the msdtc service to start automatically.

Pingback malware then uses the ICMP protocol for its key communications, hidden from the user as ports cannot be listed by NetStat. It is a command-line network utility that displays network connections for transmission control protocol (TCP), routing tables, and other functions.

Pingback supports several commands: creating a shell, opening a socket on a specified port an attacker can use to upload / download data and execute a command on an infected host.

The malware does not get into the network through ICMP, the researchers emphasized. Instead, it exploits ICMP for secret bot communications. "The initial entry vector is still being investigated."