[nsp-sec] DOS C&C by ICMP - any ideas on the infection?

[James A. T. Rice]

Hi Folks,

One of our customers' machines was unfortunately the source of half an 
hour of DoS, the customer hasn't been able to track down the malicious 
software - there's been no detectable malicious activity since then, and I 
was wondering if anyone here might recognise it from the attack 
characteristics.

Netflow data shows there was an ICMP Echo Reply to the attack machine 
purporting to be from the victim machine immediately before the flood, I 
assume this is the command to start the flood - either spoofed to be from 
the victim, or a genuine echo reply from the victim to the attacker in 
response to a spoofed echo request. I've seen this before, but I can't 
track down what was concluded at the time. :/

This was followed by masses of UDP dst port 0 traffic as the flood.

Start             End               Sif   SrcIPaddress    SrcP  DIf   DstIPaddress    DstP    P Fl Pkts       Octets
1220.12:44:58.464 1220.12:45:28.480 18    93.114.41.155   0     25    46.255.73.20    0     1   0  36         3816
1220.12:45:30.207 1220.12:45:49.471 18    93.114.41.155   0     25    46.255.73.20    0     1   0  21         2226
1220.12:44:58.312 1220.12:46:04.296 160   46.255.73.20    51575 24    93.114.41.155   0     17  0  5063185    394928430
1220.12:44:58.337 1220.12:46:09.505 32    46.255.73.20    51575 18    93.114.41.155   0     17  0  5380200    419655600
1220.12:46:04.294 1220.12:47:08.294 160   46.255.73.20    51575 24    93.114.41.155   0     17  0  4522288    352738464
1220.12:46:09.503 1220.12:47:13.503 32    46.255.73.20    51575 18    93.114.41.155   0     17  0  4572777    356676606
1220.12:47:13.501 1220.12:48:17.501 32    46.255.73.20    51575 18    93.114.41.155   0     17  0  4619199    360297522
1220.12:47:08.294 1220.12:48:20.294 160   46.255.73.20    51575 24    93.114.41.155   0     17  0  5167143    403037154

Thanks
James