New Pingback Malware Using ICMP Tunneling to Evade C&C Detection

Scientists on Tuesday disclosed a novel malware that works by using a wide variety of tips to stay less than the radar and evade detection, even though stealthily able of executing arbitrary commands on infected programs.

Referred to as ‘Pingback,’ the Home windows malware leverages World wide web Handle Message Protocol (ICMP) tunneling for covert bot communications, letting the adversary to make the most of ICMP packets to piggyback attack code, in accordance to an investigation published currently by Trustwave.

password auditor

Pingback (“oci.dll”) achieves this by acquiring loaded by way of a reputable support identified as MSDTC (Microsoft Dispersed Transaction Coordinator) — a element accountable for managing database operations that are dispersed more than multiple machines — by having advantage of a method referred to as DLL research get hijacking, which consists of applying a genuine software to preload a destructive DLL file.

Naming the malware as one particular of the plugins needed for supporting Oracle ODBC interface in MSDTC is crucial to the assault, the scientists pointed out. Although MSDTC is not configured to run immediately on startup, a VirusTotal sample submitted in July 2020 was found to put in the DLL file into the Home windows Procedure listing and get started the MSDTC support to attain persistence, boosting the likelihood that a different executable is essential to putting in the malware.


Upon prosperous execution, Pingback resorts to making use of the ICMP protocol for its main interaction. ICMP is a community layer protocol generally employed for sending error messages and operational information and facts, say, a failure warn when a further host results in being unreachable.

Precisely, Pingback requires advantage of an Echo request (ICMP concept kind 8), with the information sequence numbers 1234, 1235, and 1236 denoting the type of facts contained in the packet — 1234 remaining a command or info, and 1235 and 1236 remaining the acknowledgment for receipt of details on the other close. Some of the instructions supported by the malware include the ability to run arbitrary shell instructions, down load and upload data files from and to the attacker’s host, and execute malicious commands on the infected device.

An investigation into the malware’s original intrusion route is ongoing.

“ICMP tunneling is not new, but this specific sample piqued our curiosity as a serious-world illustration of malware applying this method to evade detection,” the researchers stated. “ICMP is useful for diagnostics and performance of IP connections, [but] it can also be misused by malicious actors to scan and map a target’s community environment. When we are not suggesting that ICMP should really be disabled, we do counsel placing in position monitoring to assist detect such covert communications over ICMP.”

Fibo Quantum