Overt and Covert Channels 203
■ Process-hiding backdoors—An attacker who wants to stay undetected for as long as
possible typically chooses to go the extra step of hiding the software they are running.
Programs such as a compromised service, a password cracker, sniffers, and rootkits are
items that an attacker will configure so as to avoid detection and removal. Techniques
include renaming a package to the name of a legitimate program and altering other
files on a system to prevent them from being detected and running.
Once a backdoor is in place, an attacker can access and manipulate the system at will.Overt and Covert Channels
When you are working with Trojans and other malware, you need to be aware of covert
and overt channels. As mentioned earlier in the chapter , the difference between the two is
that an overt channel is put in place by design and represents the legitimate or intended way
for the system or process to be used, whereas a covert channel uses a system or process in a
way that it was not intended to be used.
The biggest users of covert channels that we have discussed are Trojans. Trojans are
designed to stay out of sight and hidden while they send information or receive instructions
from another source. Using covert channels means the information and communication
may be able to slip past detective mechanisms that are not designed or positioned to be
aware of or look for such behavior.
Tools to exploit covert channels include the following:
■ Loki—Originally designed to be a proof of concept on how ICMP traffic can be used
as a covert channel. This tool is used to pass information inside ICMP echo packets,
which can carry a data payload but typically do not. Because the ability to carry data
exists but is not used, this can make an ideal covert channel.■ ICMP backdoor—Similar to Loki, but instead of using Ping echo packets, it uses Ping
replies.■ 007Shell—Uses ICMP packets to send information, but goes the extra step of
formatting the packets so they are a normal size.■ B0CK—Similar to Loki, but uses Internet Group Management Protocol (IGMP).
■ Reverse World Wide Web (WWW) Tunneling Shell—Creates covert channels through
firewalls and proxies by masquerading as normal web traffic.■ AckCmd—Provides a command shell on Windows systems.
Another powerful way of extracting information from a victim’s system is to use a piece
of technology known as a keylogger. Software in this category is designed to capture and
report activity in the form of keyboard usage on a target system. When placed on a system,
it gives the attacker the ability to monitor all activity on a system and reports back to the
attacker. Under the right conditions, this software can capture passwords, confidential
information, and other data.