[Dshield] Communication when emails are being watched

Kenneth Coney superc at visuallink.com
Thu Dec 25 17:04:11 GMT 2003

I thought of that.  Also I was thinking if you arranged your slave PCs in 
tiers of 8 (for redundancy of the message in case one PC somewhere is down) 
you could create a receptor system capable of receiving a binary code.  Yes 
there was a ping in a certain time range could equal 1, no there wasn't 
could equal 0.  (Or invert?)  That way the existence of the ping itself 
would be the message.  That would enable receipt of complete ASCII (or a 
variant thereof) code.  In short, complete messages.  Simple access to 
firewall logs or a similar software from the enslaved PCs (which might not 
even be in the same country as the end reader) would enable reading the 
results.    The time online could be reduced by coming up with a simpler 
code requiring only half of ASCII (i.e., lower case letters and numbers 
only.  Are vowels needed?).  I haven't done the math yet, but I suspect a 
shorter binary code is possible.  Six comes to mind as that would allow 36 
characters, 26 letters and 0 to 9.  The vulnerable time period would be 
when the end reader was online reading or transmitting the next set of ping 
instructions to the machine configured to send out the pings.  Still this 
would slide right by our common conception of an IP looking for and buffer 
capturing email text messages.  The pings would probably be viewed as just 
noise to be filtered out or ignored.  Admin access to a large LAN setup 
somewhere (ideally an entire range) on the end users part would probably be 
the best way of managing a ping reader designed to function in groups of 
six or eight and greatly reduce detection risk, as multiple IP addresses 
probably require more resources to monitor, intercept and decrypt.

I would imagine a ping containing a picture would be a large packet.  How 
about one with only one or two words imbedded (not necessarily in the 
clear, maybe an anagram?) or a number string to be interpreted?  How much 
bigger than a normal ping would that have to be?  A casual check would only 
show someone is pinging that particular PC a lot or that a machine seems to 
be infected and is pinging.  Since the end reader would not be the owner or 
registered user of the PC making or receiving the pings probably no one 
would be watching for message patterns.

Subject: RE: [Dshield] Communication when emails are being watched
From: "DAN MORRILL" <dan_20407 at msn.com>
Date: Wed, 24 Dec 2003 15:13:38 +0000
To: list at dshield.org


You do have support for embedding messages in PING packets. That has been a 
viable and valid covert channel for years at this point. They even talked 
about it at a SANS conference that I went to and showed images embedded in 
an ICMP packet that were captured at a honey pot. So not being paranoid at 
all, especially since the channel exists, and has been used in the past.

Since the packet though will be larger, you could probably tack on a rule 
that says If ICMP has "Data Payload" > 25 then capture >> largeicmp.log

That might be really interesting to try.

More information about the list mailing list