Decrypting XORed ICMP Packets
This morning, WebSense issued an alert about a new trojan that uses ICMP packets to send banking data back to the controller's collection site. As far as I can tell, it registers as as browser helper object (BHO) with IE, then waits for you to go to any of a predefined list of banking site login pages. When you submit your authentication data, it sends a copy back to the attacker via ICMP.
This is new in a mass-market trojan, but the technique has been known for some time (google loki ICMP to see some early work on ICMP tunnels). The interesting part is that WebSense posted a sample packet in both encrypted and decrypted form (minus a few bytes that contained personally identifiable information about the victim).
Just for fun, I decided to find the decryption key. For your reference, here is the key used to encrypt the WebSense sample packet:
60 31 75 70 73 a0 a9 91 d7 c4 09 7b 78 e9 b3 8e
89 8b 5f 6d 6f 6a 2b 53 48 54 5c b9 2c 36 63 04
d3 1a 58 02 fa e7 d9 17 3f da db 41 bb f7 b3 83
86 83 4e 20 7f 6d 79 07 8c 10 56 01 f6 23 d1 1a
e0 5d XX XX XX bc 3e 13 1b 0f 01 4d bd 9f b8 92
9e 8b 7e 22 XX XX XX XX XX XX XX b7 ca f4 eb f0
c7 e2 08 f5 05 e5 a4 85 87 82 f6 6e 54 3f XX XX
XX XX XX f8 e6 e1 8b 90 83 8b 82 98 6d 73 60 47
92 90 9c 7f 68 6a 7c 42 52 53 42 2f 34 37 37 04
1d 72 68 ab 93 98 a5 97 97 94 98 fc e2 e9 e4 d3
2a c6 da 34 54 40 5c 1c c2 04 06 67 15 a4 a0 98
9a 1c bd 5c 71 6e b2 a2 e2 1c 49 3f 2c d7 f5 0e
1f 5f c1 ea fc ed 10 24 cc d7 dc fe 90 ab a0 9b
53 75 89 6a 2c 45 74 5f 5a 96 a5 3f 28 60 2c 00
17 36 d1 f1 e9 eb 0b c1 85 95 9d e5 f7 12 34 0c
59 56 5a a0 b3 65 64 55 56 56 03 78 0a 6d 1a fc
f0 d5 9a 41 57 4b 52 5a 36 4f 3d 66 77 54 7e 6a
90 cf b8 41 3e 34 ff e5 f3 cb de b2 eb f3 e9 cf
c2 0d 1c ee ab cb e4 de 8c 65 63 a1 bd 77 69 69
8e 92 86 6f 82 60 26 54 4c 4a 53 da 56 4a 47 6f
4f d2 a4 25 00 00
The bold XX bytes are the ones for which the plaintext was obscured, so I couldn't easily recover those portions of the key with just the single sample packet.
Bonus points to the first reader who posts code to verify this. It's pretty simple, but a fun etude for security folks. Extra bonus points if you can confirm that all packets use the same key and/or find missing key bytes that weren't available in the sample packet. What are you waiting for?
No comments:
Post a Comment