New Phishing Trojan steals data via ICMP

Websense Security Labs has received a sample of a new phishing Trojan that delivers stolen information back to the attacker via ICMP packets. Upon infection of a victim's computer, the Trojan will install itself as an Internet Explorer Browser Helper Object (BHO). The BHO then waits for the user to post personal information to a monitored website. As this information is entered by the user, it is captured by the BHO and sent back to the attacker.

The method of network transport used by the attacker makes this Trojan unique. Typically, keyloggers of this type will send the stolen information back to the attacker via email or HTTP POST, which can appear suspicious. Instead, this Trojan encodes the data with a simple XOR algorithm before placing it into the data section of an ICMP ping packet. WebsenseŽ - Security Labs Alert: Data Stolen via ICMP

Linked by shanmuga Tuesday, 8th August 2006 1:48AM