Re: Odd windows ICMP... any ideas what this is?

[Mika Boström <bostik () lut fi>]

On Mon, 09 Jun 2003, ted klugman wrote:
> Our IDS has been reporting some large ICMP packets on
> our internal network. Our internal network is a
> Windows2000 domain -- servers and clients.
>
> - Packet size is always 2090 bytes
> - Almost always sent from a client or member server to
> one of the two boxes running Active Directory
> - The ping payload itself is actually a JPEG of the
> Microsoft logo. This JPEG can actually be found inside
> userenv.dll.
>
> I googled for any details, and I see that others have
> run into this before. However, there were no answers,
> just questions. See these two links for identical
> packets:
>
> http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html
>
> http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html

  Sorry for the lengthy quote. I remember seeing that debian-security
thread when it appeared. Somewhat further down the thread there was a
third URL given, with not much new information but just unanswered
questions - much like you have noticed.

  <URL: http://www.wfu.edu/~steinsj5/work/icmp.html>

> Anyone else seen these? Any idea what's causing them?
> Is this 'normal' behavior on a W2K network?

  Considering that this is, if somewhat hazily, documented behaviour 
one would be tempted to say it is indeed 'normal.'

  I'm far from being any kind of authority but I have my personal guess.
Apparently w32 boxes ping their domain controller regularly. Not all of
the packets contain the encapsulated image data, so whoever wrote this,
wanted to behaviour to be at least somewhat inconsistent. My guess is
that the programmer or programmers in question had some extra time and
inserted an easter egg.

  If these funny packets are indeed part of license tracking mechanism,
perhaps the combined effort of blocking oversized pings and then
profiling the ICMP traffic immediately afterwards would help to provide
some kind of answer? I can imagine four things happening.

  1. Nothing, the packets would be considered lost. (I don't know what
  the timeouts for not successfully pinging domain controller might be.)

  2. Some kind of log event implicating that these packets are indeed
  expected part of the protocol.

  3. A resend with a regular ping, which in turn would show that some
  extra thought had been used. Quite likely to accommodate normal
  network functionality even with stricter traffic policies.

  4. A resend with image-ping. This oversized ping is part of the
  protocol, or the author(s) for some reason expect a reply to specific
  ICMP messages.

  Anyone care to test and document the behaviour? (I don't have access
to network setups where these could be verified.)

-- 
 Mika Boström      +358-50-410-9042  \-/  "The Hell is empty,
 Bostik () lut fi    www.lut.fi/~bostik  X    and all the devils
 Security freak, and proud of it.    /-\   are here." -W.S.

Attachment: _bin
Description: