Malware / vulnerability that uses or causes malformed IP or TCP Headers

Question

I'm curious if there are any examples of malformed IP or TCP headers (for example, checksums that don't match, reserved bits that aren't zero, or poor header length numbers) used by malware, or that are used in exploits.

Examples that (if they were true) would be worth mentioning:

The TCP stack of X vendor doesn't handle a header length of < 5 correctly, and crashes when it encounters it.
A botnet that uses the reserved bits of the TCP header it sends out to send messages around.

I know that the added space in IPv6 is used to hide botnet data in the headers. — schroeder, Jul 14 '15 at 19:53
@schroeder: Do you have any further information? I assume you are talking about the "options" space? Or are you talking about the flow label? — Andrew Spott, Jul 14 '15 at 20:03
@schroeder Do you have any examples or data showing this behavior? — Nathan V, Aug 26 '15 at 00:35

score 3 · Accepted Answer · answered Aug 26 '15 at 00:34

There have been vulnerabilities in hosts with imperfect TCP implementations where malformed requests could cause a crash. I don't know that I've seen anything infect a machine and then choose to break TCP by toying with the headers. Here's an example of a bad-header-caused crash bug:

http://blog.jeremyrossi.com/juniper-flaw-exposes-core-routers-to-kernel-crash.html

Using the reserved bits (6 bits in IPv4) in the header would be very inefficient and it's not something I've ever seen in the wild. It's plausible but generally speaking I wouldn't expect to see it since it's something very unusual and would be easy to identify and filter. I looked around online and could not find anything solid identifying this behavior in use today.

There's a SANS paper on using parts of the TCP packet for covert data passage that covers some of this topic pretty well: https://www.sans.org/reading-room/whitepapers/covert/covert-data-storage-channel-ip-packet-headers-2093

score 0 · Answer 2 · edited Apr 27 '22 at 11:03

General discussion on IPv6 used by malware (2014)
http://www.ipv6conference.ch/wp-content/uploads/Slide/Business_Track/B05%20-%20Abramovich-IPv6%20Security%20Challenges%20and%20Solutionsv2.pdf

Includes CVE-2014-2309 and CVE-2014-0254 that use malformed packets to cause DoS.

VoodooNet (2006)
http://www.securityfocus.com/news/11406

VoodooNet used ICMPv6 to send data.

Scapy used to create a covert channel using IPv6:
Link

Destination option Extension header of IPv6 is used to pass secret information.

Research on 22 different covert channels using IPv6 (2006) http://link.springer.com/chapter/10.1007/11767831_10

Malware / vulnerability that uses or causes malformed IP or TCP Headers

2 Answers2