Re: Odd windows ICMP... any ideas what this is?

From: Mika Boström (bostik_at_lut.fi)
Date: 06/09/03

  • Next message: Eugene Borukhovich: "RE: Odd windows ICMP... any ideas what this is?"
    Date: Mon, 9 Jun 2003 22:52:54 +0300
    To: incidents@securityfocus.com
    
    
    

    On Mon, 09 Jun 2003, ted klugman wrote:
    > Our IDS has been reporting some large ICMP packets on
    > our internal network. Our internal network is a
    > Windows2000 domain -- servers and clients.
    >
    > - Packet size is always 2090 bytes
    > - Almost always sent from a client or member server to
    > one of the two boxes running Active Directory
    > - The ping payload itself is actually a JPEG of the
    > Microsoft logo. This JPEG can actually be found inside
    > userenv.dll.
    >
    > I googled for any details, and I see that others have
    > run into this before. However, there were no answers,
    > just questions. See these two links for identical
    > packets:
    >
    > http://archives.neohapsis.com/archives/linux/debian/2002-q4/0658.html
    >
    > http://cert.uni-stuttgart.de/archive/debian/security/2002/11/msg00222.html

      Sorry for the lengthy quote. I remember seeing that debian-security
    thread when it appeared. Somewhat further down the thread there was a
    third URL given, with not much new information but just unanswered
    questions - much like you have noticed.

      <URL: http://www.wfu.edu/~steinsj5/work/icmp.html>

    > Anyone else seen these? Any idea what's causing them?
    > Is this 'normal' behavior on a W2K network?

      Considering that this is, if somewhat hazily, documented behaviour
    one would be tempted to say it is indeed 'normal.'

      I'm far from being any kind of authority but I have my personal guess.
    Apparently w32 boxes ping their domain controller regularly. Not all of
    the packets contain the encapsulated image data, so whoever wrote this,
    wanted to behaviour to be at least somewhat inconsistent. My guess is
    that the programmer or programmers in question had some extra time and
    inserted an easter egg.

      If these funny packets are indeed part of license tracking mechanism,
    perhaps the combined effort of blocking oversized pings and then
    profiling the ICMP traffic immediately afterwards would help to provide
    some kind of answer? I can imagine four things happening.

      1. Nothing, the packets would be considered lost. (I don't know what
      the timeouts for not successfully pinging domain controller might be.)

      2. Some kind of log event implicating that these packets are indeed
      expected part of the protocol.

      3. A resend with a regular ping, which in turn would show that some
      extra thought had been used. Quite likely to accommodate normal
      network functionality even with stricter traffic policies.

      4. A resend with image-ping. This oversized ping is part of the
      protocol, or the author(s) for some reason expect a reply to specific
      ICMP messages.

      Anyone care to test and document the behaviour? (I don't have access
    to network setups where these could be verified.)

    -- 
     Mika Boström      +358-50-410-9042  \-/  "The Hell is empty,
     Bostik@lut.fi    www.lut.fi/~bostik  X    and all the devils
     Security freak, and proud of it.    /-\   are here." -W.S.
    
    



  • Next message: Eugene Borukhovich: "RE: Odd windows ICMP... any ideas what this is?"

    Relevant Pages