Term Paper for Computer Networks (CSE 5344)
Professor: Dr. Bruggeman
Author: Tom Ueltschi

The ICQ Protocol

Abstract

This paper will introduce you to the ICQ Program, its features, and explain the different versions of the ICQ Protocol. After a brief history of ICQ, you will learn the basic capabilities of ICQ and how they are implemented in the ICQ Protocol. The different versions of the ICQ Protocol will be discussed in more detail and security aspects are taken in consideration as well. The Client-Server and Client-Client communications will also be explained briefly.

1. Introduction
2. What is ICQ?
3. Main Features of ICQ
    3.1 Messaging
    3.2 Chat
    3.3 File Transfer
4. The ICQ Protocol
    4.1 Reverse-Engineering using SocketSpy
    4.2 Protocol Versions
        4.2.1 Protocol V1
        4.2.2 Protocol V2
        4.2.3 Protocol V3
        4.2.4 Protocol V4
        4.2.5 Protocol V5
    4.3 Client-Server Communication
    4.4 Client-Client Communication
    4.5 Security Aspects of the Protocol
5. Conclusion

Bibliography / Web Resources
Disclaimer

1. Introduction

In recent years, the Internet has experienced a tremendous growth in number of users and popularity. A few years ago, the Internet was maybe still viewed as a luxury, whereas today and in the near future the Internet is more and more becoming a necessity. A fast growing number of people use the Internet for everyday-communication among their family and friends. E-mail is probably the most common way of communication on the Net, but other Internet communication tools, like for example Mirabilis' ICQ, are catching up fast.

Mirabilis was founded in July 1996 by four young Israeli avid-computer users who established a new Internet company. Yair Goldfinger, Arik Vardi, Sefi Vigiser, and Amnon Amir, created the company in order to introduce a new communication tool for the Internet. They found that the Internet provides a connection to all its users, but an interconnection among those users is still missing. They developed the missing technology to allow Internet users to find and locate each other more easily, and provide them with a simple and easy to use tool to create peer-to-peer communication channels. They were the pioneers in this new industry.

In November 1996, only four months after Mirabilis was founded, the first version of the ICQ product was introduced to the Internet. Later it was said that ICQ has "taken the Internet by storm". For example, Alexander Woodby from Tucows wrote, "ICQ is one program that's definitely taking the net by storm. Started by a small group of people, it's proven itself as perhaps the leading interpersonal chat program today." Soon after its release, the ICQ program started spreading very quickly by "word-of-mouse".

(Source: Mirabilis--About us)

Mirabilis' ICQ was chosen as the winner among six Instant-Messaging Programs by CNET due to its huge popularity and its many features. The competitors were AOL Instant Messenger, ichat Pager, Excite PAL, Yahoo Pager, and PowWow. You can read the full reviews here: http://home.cnet.com/category/topic/0,10000,0-3781-7-278365,00.html

In June 1998, America Online acquired all Mirabilis' assets and ICQ Inc., the successor of Mirabilis Ltd., was created. The ICQ program and its use has been free of charge from the very beginning and still is free.

2. What is ICQ?

ICQ actually stands for "I seek you". It is one of the most popular communication tools used on the Internet, besides the good old plain e-mail. ICQ is a user-friendly and real-time Internet tool that allows users to find other people, add them to a contact list, see their online/offline status at any given time, and communicate with them in several different ways. ICQ provides capabilities of messaging, one-on-one or multi-user chat sessions, user-to-user file transfer, sending URLs, playing games, and invoking external applications, like NetMeeting, CoolTalk, or other online-conferencing tools.

A more detailed introduction to "What is ICQ?" can be found at the Mirabilis web site: http://www.mirabilis.com/products/whatisicq.html It explains the currently latest version ICQ99b, whereas my graphics and descriptions are based on the earlier version ICQ98a.

3. Main Features of ICQ

Every ICQ user has a list of people that he or she is interested in communicating with, as shown in Fig. 3.1. Over time the contact list can grow to several dozens of people and the number of users on the list is not limited in versions ICQ99b or later. For each user on the contact list an online status is shown in form of an icon. One's online status can be chosen and changed at any time. The possible choices are shown in Fig. 3.2. The ICQ preferences also allow users to show "Away" or "Extended Away" after a specified time of inactivity or idling.

Fig. 3.1: ICQ Contact List

Fig. 3.2: Online Status

Fig. 3.3: ICQ Features

The list of ICQ Features (Fig. 3.3) appears when a person's name from the contact list is clicked on. By double-clicking a user, the default action (send a message) is chosen. All messages sent to every person are stored individually and can be reviewed using the View Messages History. The Info shows you information about that person which they chose to make public. Other features include sending a file or URL, and requesting a chat session.

The Contact List Wizard (Fig. 3.4) helps you find people who you want to communicate with. You can find ICQ users by different pieces of information, like e-mail address, first- and/or last name, or nickname. However, the easiest and fastest way to find a specific ICQ user is by their unique ICQ number (UIN -- Unique Internet Number, according to Mirabilis).

Fig. 3.4: Search for ICQ Users

To search for a new user choose Add/Find Users from the ICQ menu (Fig. 3.5). The ICQ menu also allows users to set and change their ICQ preferences, and if more than one ICQ user use the same computer they can switch the current ICQ user with Add/Change Current User.

The System Menu (Fig. 3.6) enables the user to switch between basic and advanced features for ICQ, and to send a message to non-ICQ-users to introduce them to ICQ.

Fig. 3.5: ICQ Menu

Fig. 3.6: System Menu

3.1 Messaging

Sending messages (Fig. 3.7) is a nice and convenient feature which later also has been implemented in several other clients, like AOL Instant Messenger and Yahoo Pager among others. Sending messages forth and back allows for a live communication, but you can still do other things at the same time and do not have to focus 100% on the conversation. In the preferences, you can specify a sound file to acoustically notify you of any messages arriving. You can also send messages to ICQ users who are not currently online and they will receive the message as soon as they log on the next time. The same message can also be sent to multiple recipients if desired.

Fig. 3.7: Sending ICQ Message

3.2 Chat

Sometimes when you want to have a conversation with someone, the messaging can get tiring and slow the conversation down. To achieve a more lively conversation you can initiate a chat session to which the other person can either accept or decline your invitation. An example of a chat session is shown in Fig. 3.8. A chat session can also be set up between more than two people and everyone can see the others' typing in an individual frame. The user can change colors and fonts, and upon exiting the chat, the user is prompted with the choice to save the chat buffer to a text file.

Fig. 3.8: ICQ Chat Session (One-on-one)

3.3 File Transfer

Another really neat feature of ICQ is the capability of transferring files between users' PCs directly. One user initiates a Send File Request (Fig. 3.9) by selecting a local file on his machine, then the other person can accept or deny the transfer. Although the transfer rate is usually not very high, this feature can be very useful at times. Naturally, the transfer rate will depend on the slower modem of the two users involved in the file transfer and the net load at that time. ICQ File Transfer

Fig. 3.9: Send File Request

4. The ICQ Protocol

In the previous section you have been introduced to the main features of ICQ, but how does the ICQ Protocol implement them? The answer to this question will be covered in this section.

First of all, the ICQ Protocol is proprietary by its developer Mirabilis, or now ICQ Inc. Any information that is publicly available on the ICQ Protocol has been reverse-engineered by a random group of people on the Internet with lose collaboration and common interest. Thus, none of the information found or provided in this document is guaranteed to be correct or accurate. However, I am sure the people trying to figure out the ICQ Protocol gave their best effort in doing so and I would like to thank them for their efforts and for making their work public.

4.1 Reverse-Engineering using SocketSpy

One of the ways to reverse-engineer the ICQ Protocol is by using a tool that traces all network traffic (packets) on a raw socket and dumps them on the screen or in a file. One such tool is SocketSpy which has been developed by WinTech. Fig. 4.1 shows schematically how SocketSpy works. For any application that uses WINSOCK.DLL, all API calls are intercepted by the Interceptor.DLL and SocketSpy prints out the information of the API calls.

Fig. 4.1: How SocketSpy works

Fig. 4.2 shows a sample screen shot from SocketSpy (demo version) while the ICQ client was disconnected from the ICQ server. The SocketSpy demo version has some restrictions, one being the limitation of the packet dump to 20 bytes.

Fig. 4.2: SocketSpy sample screen shot (while disconnecting from ICQ)

Now we try to decode (or "decrypt") the packet dump using the scheme for ICQ version V5 (See Fig. 4.3) as it is described in the V5-Encryption page. The first two bytes specify the version number (0x0005), thus we are using the V5 scheme. After 4 zero-bytes, the next four bytes are for the UIN number of the user's ICQ client. When switching the byte order (due to little endian/big endian) and converting the Hex-number (0x004E6CAA = 56789020 dec.) it turns out that the UIN is really the one of my ICQ client (56789020). However, I was not able to verify the command (0xC2EE) for disconnecting from ICQ.

ICQ Packet Header (client side)
Length	Content (if fixed)	Designation	Description
2 bytes	`05 00`	VERSION	Protocol version
4 bytes	`00 00 00 00`	ZERO	Just zeros, purpose unknown
4 bytes	`AA 6C 4E 00`	UIN	Your (the client's) UIN
4 bytes	`77 72 55 FC`	SESSION_ID	Used to prevent 'spoofing'. See below.
2 bytes	`EE C2`	COMMAND
2 bytes	`A4 01`	SEQ_NUM1	Starts at a random number
2 bytes	`E8 C6`	SEQ_NUM2	Starts at 1
4 bytes	`xx xx xx xx`	CHECKCODE
variable	`xx ...`	PARAMETERS	Parameters for the command being sent

Fig. 4.3: Decoding the packet sent (data from SocketSpy)

Naturally, to figure out the protocol specifications from spying on the packets send through the WinSocket is not trivial and requires much work and effort. Magnus Ihse, who started researching the ICQ protocol V2 early on and published one of the first documents about the ICQ Protocol, formed a mailing list called ICQ-devel due to the huge amount of responses and questions he received. Through constant effort over the years, the participants of the ICQ-devel list reverse-engineered mostly all of the ICQ protocol versions and implemented ICQ Clients on different platforms and in different programming languages.

4.2 Protocol Versions

The ICQ Protocol has gone through several version since its inception in 1996. The earlier versions did not use any kind of encryption and had many security holes (see section 4.3). In version 4 some kind of encryption was introduced. Version 5 also uses other means (Session Id. and Sequence number) for security purposes. The latest two versions of ICQ (ICQ98 and ICQ99) are able to use all protocol versions currently still in use (V2 through V5).

4.2.1 Protocol V1

V1 was the first version of the ICQ Protocol and is no longer in use. This version was never used by any publicly released ICQ clients. I was not able to find any specific documentation on Version 1.

4.2.2 Protocol V2

Version 2 of the ICQ Protocol was implemented in the first release of ICQ in 1996, which is still available to download at this site. V2 is the oldest version of the ICQ Protocol that is still in use today.

The UDP packet sent from the client to the server has the following general layout:

Length   Content (if fixed)    Name             Description
------   ------------------    ----             -----------
2 bytes 02 00                 VERSION          Identifies the packet as an ICQ packet
2 bytes xx xx                 COMMAND          Code for service the server should provide
2 bytes xx xx                 SEQ_NUM          Sequence number
4 bytes xx xx xx xx           UIN              The senders UIN
variable                       PARAMETERS       0 or more parameters (depending on COMMAND)

The UDP packet sent from the server to the client has the following general layout:

Length   Content (if fixed)    Name             Description
------   ------------------    ----             -----------
2 bytes 02 00                 VERSION          Identifies the packet as an ICQ packet
2 bytes xx xx                 COMMAND          Code for service the server should provide
2 bytes xx xx                 SEQ_NUM          Sequence number
variable                       PARAMETERS       0 or more parameters (depending on COMMAND)

More detailed information about the version 2 can be found here. (Original source: http://www.algonet.se/~henisak/icq/icq091.txt )

4.2.3 Protocol V3

The second protocol which came out was version 3 which has a simple checksum as security.

Version 3 header is as follows:

2 Bytes - This is the Version of the protocol = 03 00 (Major, Minor)
2 Bytes - This is the Function code. The ones I know are listed below.
2 Bytes - First Sequence Code    \ These are usually the same
2 Bytes - Second Sequence Code   /
4 Bytes - This is the user ID of the client user
4 Bytes - These four bytes are ICQ's weak attempt at security:
           to get these do the following:
    check1 = ( data[8] << 24) | ( data[4] << 16 ) | ( data[2] << 8 ) | ( data[6] );
    offs1 = Random % length; // offset into packet
    offs2 = Random % 256;     // offset into magic data
    check2 = ( offs1 << 24 ) | !( data[offs1] << 16 ) | ( offs2 << 8) | !( magic[offs2] );
    check = check1 ^ check2; // XOR the two checks

The V3 Protocol is explained in more depth here.

4.2.4 Protocol V4

In Version 4, encryption was added to the protocol. The following is the Header for Version 4 packets:

2 Bytes   - Version Number (not Encrypted) = 04 00 (Major, Minor)
2 Bytes   - Random number (Not Encrypted)
***** Everything from this point to the 1/4 mark is encrypted *****
2 Bytes   - Always 00 00 un-encrypted
          - Since the key is xored to encrypt - whatever numbers are here
            are the first 2 bytes of the encryption Key.
2 Bytes   - Command Code.
2 Bytes   - First Sequence Code
2 Bytes   - Second Sequence Code
4 Bytes   - User ID Number
4 Bytes   - This is a Checksum. It is calculated the same as above
          - The packet is encrypted by XORing 1/4 of the packet with a key
          - The Key is calculated by multiplying the length * 0x66756B65 and
            adding the check value.

                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |       4       |      0        |           RANDOM              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        Everything below this point is encrypted
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |           ZEROS               |           COMMAND             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |          SEQUENCE             |         SECOND SEQUENCE       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                              UIN                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             CHECK                             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

The V4 Protocol is explained in more detail here. Encryption of V3/V4 is explained here.

4.2.5 Protocol V5

The version 5 is the most recent version which has not yet been fully explained anywhere.

An example of a V5 header is shown in Fig. 4.3. Version 5 is used in the newest release of ICQ 99b.

The best explanation for encryption in V5 can be found here.

4.3 Client-Server Communication

When an ICQ user connects to the Internet, the ICQ NetDetect Agent can automatically detect the connection and launch the ICQ application. First, the ICQ program tries to establish a connection to a Mirabilis ICQ-Server, by sending UDP packets to port 4000. During the login process, the client sends information about itself to the server, including its IP address, the TCP port reserved for ICQ, the user's password and the user's contact list. Once a connection has been established, the client reports its user's online-status and inquires the online-status for each ICQ user on the contact list.

The information provided from any ICQ user during registration is also stored on the ICQ-Server. If someone requests the public information about a certain user, a request command in a UDP packet is sent to the server which then sends back the information about the inquired ICQ user. All UDP packets must be acknowledged, otherwise retransmission will occur after 10 seconds.

4.4 Client-Client Communication

For messaging, sending URLs, file transfers, and chat sessions, a Client-to-Client connection using TCP is established. The IP addresses and port numbers for ICQ users are received from the ICQ server upon connection.

4.5 Security Aspects of the Protocol

In a posting from December 1997 titeled "ICQ so-called protocol", Alan Cox writes the following regarding security of the ICQ Protocol:

"The ICQ protocol is ridiculously simplistic and is riddled with security holes. So is the ICQ software. So ICQ users can be spoofed, have their machine crashed, or have evil haxxors run arbitrary code on their boxes. Geez, these poor users might as well run Internet Explorer!"
(Source: http://www.insecure.org/sploits/icq.spoof.overflow.seq.html )

This statement was referring to the earlier versions of the ICQ Protocol. In versions V4 and V5, encryption and other security features were added to the protocol.

5. Conclusion

The ICQ Program is one of the most popular and most widely spread chat and instant-messaging programs on the Internet, and the community of ICQ users is still growing very rapidly. Most ICQ users do not need to know how the ICQ Protocol works. They are also not aware of or concerned about the security aspects of the ICQ Protocol. The protocol certainly has its vulnerabilities, which the majority of users don't know about.

The ICQ Protocol is not very well designed or engineered, but it has undergone some major improvements over time.

Bibliography / Web Resources

[1] Mirabilis Ltd.; Mirabilis official homepage; <http://www.mirabilis.com/>

[2] Ihse, Magnus; The ICQ Protocol Site; <http://www.student.nada.kth.se/~d95-mih/icq/>

[3] Isaksson, Henrik; The ICQ hacking page; <http://www.algonet.se/~henisak/icq/>

[4] Meistern; Meistern's ICQ Hacking Page; <http://www.globalserve.net/~jphowe/icq/>

[5] Kalinin, Eugene; ICQ Protocol Definiton; <http://www.mml.nsi.ru/~ekalinin/MSPvsICQ/Protocol.htm>

[6] Cox, Alan; ICQ so-called protocol; <http://www.insecure.org/sploits/icq.spoof.overflow.seq.html>

[7] CNET.com, Editors' Choice; CNET Compares 6 Top Instant-Messaging Programs;
<http://home.cnet.com/category/topic/0,10000,0-3781-7-278365,00.html>

[8] WinTECH Software; SocktSpy... Application Description; <http://www.win-tech.com/html/socktspy.htm>

Disclaimer

THE INFORMATION AVAILABLE ON THIS PAGE IS PROVIDED ON AN "AS IS" BASIS. THE AUTHOR MAKES NO WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THOSE OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THIS DOCUMENT AND THE INFORMATION PRESENT HEREIN. THE AUTHOR DOES NOT WARRANT, GUARANTEE OR MAKE ANY REPRESENTATIONS REGARDING THE USE OR THE RESULTS OF THE USE OF THEESE DOCUMENTS OR THE INFORMATION PRESENT HEREIN. THE ENTIRE RISK OF USING THE INFORMATION PRESENT IN THIS DOCUMENT IS ASSUMED BY THE USER. IN NO EVENT WILL THE AUTHOR BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THIS DOCUMENT OR THE INFORMATION PRESENT HEREIN, EVEN IF THE AUTHOR HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION.

The author of this page is in no way affiliated with Mirabilis or ICQ Inc.