Security researchers have identified a new Trojan which sends data back to attackers via an unconventional communications protocol (for malware) in a bid to escape detection.

The as-yet unnamed phishing Trojan transmits stolen information back to hackers via ICMP (Internet Control Message Protocol) packets instead of email or HTTP packets, the standard route for transmitting purloined information.

After infecting a victim's computer, the Trojan is programmed to install itself as an Internet Explorer Browser Helper Object (BHO). The software then waits for a victim to post sensitive data online. This data, once entered, is captured by the Trojan and sent to attackers.

Instead of using email or HTTP POST requests, the Trojan encodes purloined data using a simple XOR algorithm before placing it into the data section of an ICMP ping packet.

"To network administrators and egress filters, this ICMP packet looks like legitimate traffic leaving the network. However, the ICMP packet actually contains encoded personal information entered by a user. The attackers presumably capture this packet at their remote server, where the packet is easily decoded to reveal the information entered by the user," reports web security firm Websense, which analysed the behaviour of the Trojan after being among the first to receive samples of the malware code. ®

Related stories

• Trojan phishing attack claims multiple victims (23 February 2007)
• US phishing ring members admit fraud charges (27 September 2006)
• Samsung Telecom plays unwilling host to Trojan (8 September 2006)
• A third of dodgy emails are phishing attacks (5 September 2006)
• Google-based malware search tool surfaces (18 July 2006)
• Hackers control bot client over P2P (2 May 2006)
• Trojan-powered scam network dismantled (5 April 2006)
• Yahoo! phishing warning (24 January 2006)
• Phishers and security firms in malware 'arms race' (24 August 2005)