Hi malware fighters,
Most trojans send stolen data through a HTTP POST of GET. This is relatively easy to detect by a gateway or proxy server. Websense recently discovered a new trojan, that sends home stolen data through ICMP. These kind of packets are more difficult to be detected by filters and gateways alike, because these kind of data can be legit as well, and the data are “encrypted” (via a simple XOR mechanism) and sent in the ICMP data section.
A work-around is to not allow ICMP from the intranet to Internet. A snort signature for this trojan has arrived as well.
http://www.websense.com/securitylabs/alerts/alert.php?AlertID=570
polonus