Recently, Trustwave reported on a new malware family which they discovered during a breach investigation. The backdoor, dubbed Pingback, executes on Windows systems and communicates with its controller via ICMP messages. ICMP (Internet Control Message Protocol) is a protocol used for exchanging control messages between endpoints communicating via the Internet Protocol (IP). Echo Request and Echo Reply messages, type 8 and type 0 respectively, are collectively known as Ping messages and are often used to troubleshoot network connectivity issues. Since ICMP is commonly allowed through firewall devices, attackers often hide their communications in ping message payloads. This blog will introduce a method of detecting the Pingback malware attempting to do this very thing.