[Dshield] Communication when emails are being watched

DAN MORRILL dan_20407 at msn.com
Wed Dec 24 15:13:38 GMT 2003


You do have support for embedding messages in PING packets. That has been a 
viable and valid covert channel for years at this point. They even talked 
about it at a SANS conference that I went to and showed images embedded in 
an ICMP packet that were captured at a honey pot. So not being paranoid at 
all, especially since the channel exists, and has been used in the past.

Since the packet though will be larger, you could probably tack on a rule 
that says If ICMP has "Data Payload" > 25 then capture >> largeicmp.log

That might be really interesting to try.

Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.

Otherwise, hope things are going well.

>From: Kenneth Coney <superc at visuallink.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: list at dshield.org
>Subject: [Dshield] Communication when emails are being watched
>Date: Wed, 24 Dec 2003 07:44:47 -0500
>Just total paranoid speculation on my part, but if I was in a group like Al 
>Qaida and the FBI and similar groups had installed something like 
>Carnivore, and all my people were being hunted, would I still use Hotmail, 
>now that it was being watched?  No.  Would I abandon the Internet as either 
>a target, or a means of communication?  No.  I would look for, and write a 
>virus like Nachia or something that floods the Internet with pings then 
>release it.  The first good result (from that perspective) would be an 
>increase in system wide noise and decreased resources.  After a few weeks, 
>another result would be everyone would be ignoring pings.  I would then use 
>pings from slave PCs to prearranged IP addresses as the actual 
>communication.  A dozen ways of accomplishing that come to mind, ranging 
>from -three pings from this address on this day mean X.., to -check the 
>packet for ZZ which will mean...  Different pings from different PCs could 
>carry different parts of a message.  Fairly complex messages could thus be 
>sent.  Really hard to detect as it would all seem to be just be another 
>series of "random" pings.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

Have fun customizing MSN Messenger — learn how here!  

More information about the list mailing list