RE: Re: ICMP DestinationUnreachable Port Unreachable

["Fetch, Brandon" <BFetch () texpac com>]

Isn't there a new Trojan that's using ICMP to send back it's pilfered
data?  It's encrypted (if I remember correctly) so no clear-text reading
of what's sent and that may explain why you're seeing the random data.

The padding of the same characters in individual packets may designate
start/stop points in the transmission segments.

Just my $.02...

Brandon

-----Original Message-----
From: full-disclosure-bounces () lists grok org uk
[mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Adriel
T. Desautels
Sent: Wednesday, August 16, 2006 10:30 AM
To: Adriel T. Desautels
Cc: full-disclosure () lists grok org uk; Valdis.Kletnieks () vt edu
Subject: Re: [Full-disclosure] Re: ICMP DestinationUnreachable Port
Unreachable

Also,
    I failed to mention that they came in bursts of 3 every 5 minutes on
the dot.

Adriel T. Desautels wrote:
> Well,
>     After over 100,000 alerts each with very different payloads the
> traffic stopped. I do have a list of all of the dropped packets from
my
> firewall as well and it appears that it was hitting 3 IP addresses
which
> are public facing, not just one. The weird part, is that two of those
> three aren't even live. So I think that this may have been noise from
a
> different attack...
>
>     I'd be very interested in decoding the payloads for some of these.
> Anyone here have any tools to do such a decode? I'd rather not do it
> manual if at all possible.
>
> Valdis.Kletnieks () vt edu wrote:
>   
> > On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said:
> >   
> >     
> > > Although the port 0 in this case is a red herring and irrelevant.
Port 0
> > > itself when used with TCP/UDP (not ICMP!) can actually be used on
the
> > > Internet. A while back I modified netcat and my linux kernel so that
it would
> > > allow usage of port 0 and was able to connect to a remote machine
via TCP
> > > with that port and communicate fine.
> > >     
> > >       
> > Of course, the poor security geek who see a TCP SYN from port 0 to
port 0,
> > and then a SYN+ACK reply back, will be going WTF??!? for the rest of
the day. :)
> > (Another good one to induce head-scratching is anything that does
> > RFC1644-style T/TCP.  Anytime you see a packet go by in one direction
with
> > SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;)
> > data on it... ;)
> >   
------------------------------------------------------------------------
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >     
>
>
>   


-- 

Regards, 
    Adriel T. Desautels
    SNOsoft Research Team
    Office: 617-924-4510 || Mobile : 857-636-8882

    ----------------------------------------------
    Vulnerability Research and Exploit Development





BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


This message is intended only for the person(s) to which it is addressed 
and may contain privileged, confidential and/or insider information. 
If you have received this communication in error, please notify us 
immediately by replying to the message and deleting it from your computer. 
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other 
than the named recipient(s) is strictly prohibited.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/