ICMP Protocol Exploit – Loki

Overall ICMP has been viewed as quite a harmless and perhaps even trivial protocol. However that all changed with the rather nasty Loki. In case you didn’t know Loki is from Norse mythology and he was the god of trickery and mischief. The Loki exploit is well named and seeks to exploit the hither to benign ICMP protocol. ICMP is intended mainly to inform users of error conditions and to make very simple requests. It’s one of the reasons intrusion analysts and malware students tended to ignore the protocol. Of course it could be used in rather obvious denial of service attacks but they were easily tracked and blocked.

However Loki changed that situation as it used ICMP as a tunneling protocol as a covert channel. The definition of a covert channel in these circumstances is a transport method used in either a secret or unexpected way. The transport vehicle is ICMP but Loki acts much more like a client/server application. Any compromised host that gets a Loki server instance installed can respond to traffic and requests from a Loki client. So for instance a Loki server could respond to a request to display the password file to screen or file. That could then be possibly captured and cracked by the owner of the Loki client application.

Many intrusion detection analysts would have simply ignored ICMP traffic passing through their logs. Mainly because it’s such a common protocol but also an such an innocuous one. Of course well read analysts will know treat such traffic with heightened suspicion, Loki really has changed the game for protocols like ICMP.

For those of us who spend many hours watching traffic Loki was a real eye opener. You had to check those logs a little more carefully especially to watch out for those strange protocols being used in a different context. There’s some more information on these attacks and other technology items here on this video . It can take some finding though !!