[Dshield] Communication when emails are being watched

DAN MORRILL dan_20407 at msn.com
Fri Dec 26 14:26:23 GMT 2003

so what we can do is take one of the unassigned ICMP code types

Type	Name					Reference
----	-------------------------		---------
  0	Echo Reply				 [RFC792]
  1	Unassigned				    [JBP]
  2	Unassigned				    [JBP]
  3	Destination Unreachable			 [RFC792]
  4	Source Quench			 	 [RFC792]
  5	Redirect				 [RFC792]
  6	Alternate Host Address			    [JBP]
  7	Unassigned				    [JBP]
  8	Echo					 [RFC792]
  9	Router Advertisement			[RFC1256]
10	Router Solicitation			[RFC1256]
11	Time Exceeded				 [RFC792]
12	Parameter Problem			 [RFC792]
13	Timestamp				 [RFC792]
14	Timestamp Reply				 [RFC792]
15	Information Request			 [RFC792]
16	Information Reply			 [RFC792]
17	Address Mask Request                     [RFC950]
18	Address Mask Reply			 [RFC950]
19	Reserved (for Security)			   [Solo]
20-29	Reserved (for Robustness Experiment)	    [ZSu]
30	Traceroute				[RFC1393]
31	Datagram Conversion Error		[RFC1475]
32     Mobile Host Redirect              [David Johnson]
33     IPv6 Where-Are-You                 [Bill Simpson]
34     IPv6 I-Am-Here                     [Bill Simpson]
35     Mobile Registration Request        [Bill Simpson]
36     Mobile Registration Reply          [Bill Simpson]
37     Domain Name Request                     [RFC1788]
38     Domain Name Reply                       [RFC1788]
39     SKIP                                    [Markson]
40     Photuris                                [RFC2521]
41-255 Reserved				    [JBP]

either 7 or anything that does not trigger a IDS but means something to a 
program that would be written to track the follow on packet, or look for 
type 40 + data, or type 7 + data. Would be easier to write a program to 
either track a reserved or unassigned ICMP type and either look at the 
follow on packet or within the unassigned packet for data.

That would make the covert channel not too bad.

Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.

Otherwise, hope things are going well.

>From: Kenneth Coney <superc at visuallink.com>
>Reply-To: General DShield Discussion List <list at dshield.org>
>To: list at dshield.org
>Subject: Re:  [Dshield] Communication when emails are being watched
>Date: Thu, 25 Dec 2003 12:04:11 -0500
>I thought of that.  Also I was thinking if you arranged your slave PCs in 
>tiers of 8 (for redundancy of the message in case one PC somewhere is down) 
>you could create a receptor system capable of receiving a binary code.  Yes 
>there was a ping in a certain time range could equal 1, no there wasn't 
>could equal 0.  (Or invert?)  That way the existence of the ping itself 
>would be the message.  That would enable receipt of complete ASCII (or a 
>variant thereof) code.  In short, complete messages.  Simple access to 
>firewall logs or a similar software from the enslaved PCs (which might not 
>even be in the same country as the end reader) would enable reading the 
>results.    The time online could be reduced by coming up with a simpler 
>code requiring only half of ASCII (i.e., lower case letters and numbers 
>only.  Are vowels needed?).  I haven't done the math yet, but I suspect a 
>shorter binary code is possible.  Six comes to mind as that would allow 36 
>characters, 26 letters and 0 to 9.  The vulnerable time period would be 
>when the end reader was online reading or transmitting the next set of ping 
>instructions to the machine configured to send out the pings.  Still this 
>would slide right by our common conception of an IP looking for and buffer 
>capturing email text messages.  The pings would probably be viewed as just 
>noise to be filtered out or ignored.  Admin access to a large LAN setup 
>somewhere (ideally an entire range) on the end users part would probably be 
>the best way of managing a ping reader designed to function in groups of 
>six or eight and greatly reduce detection risk, as multiple IP addresses 
>probably require more resources to monitor, intercept and decrypt.
>I would imagine a ping containing a picture would be a large packet.  How 
>about one with only one or two words imbedded (not necessarily in the 
>clear, maybe an anagram?) or a number string to be interpreted?  How much 
>bigger than a normal ping would that have to be?  A casual check would only 
>show someone is pinging that particular PC a lot or that a machine seems to 
>be infected and is pinging.  Since the end reader would not be the owner or 
>registered user of the PC making or receiving the pings probably no one 
>would be watching for message patterns.
>Subject: RE: [Dshield] Communication when emails are being watched
>From: "DAN MORRILL" <dan_20407 at msn.com>
>Date: Wed, 24 Dec 2003 15:13:38 +0000
>To: list at dshield.org
>You do have support for embedding messages in PING packets. That has been a 
>viable and valid covert channel for years at this point. They even talked 
>about it at a SANS conference that I went to and showed images embedded in 
>an ICMP packet that were captured at a honey pot. So not being paranoid at 
>all, especially since the channel exists, and has been used in the past.
>Since the packet though will be larger, you could probably tack on a rule 
>that says If ICMP has "Data Payload" > 25 then capture >> largeicmp.log
>That might be really interesting to try.
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 

Working moms: Find helpful tips here on managing kids, home, work —  and 
yourself.   http://special.msn.com/msnbc/workingmom.armx

More information about the list mailing list