Chapter 9. Covert Channels

"We are what we pretend to be, so we must be careful what we pretend to be."

MOTHER NIGHT, KURT VONNEGUT, JR.

A covert channel is a secret communication pathway. Covert means hidden, so the communication must be concealed. The term originates from the design of highly secure, compartmentalized computer systems the ones found in military installations that handle classified information.

These systems are supposed to keep one process from communicating with another process. As it turns out, that is very hard to do. No matter how minor, any detectable signal that can be influenced by two parties may become a conduit of communication between them.

A covert channel doesn't have to be fancy or meet academic standards of stealthiness; it just needs to be unanticipated so that it slips by unnoticed.

For a rootkit, a covert channel typically means a communication path that breaks through firewalls undetected (by sniffers, IDS systems, or other security mechanisms). The channel must be robust enough to support exfiltrating data from the computer and allow command and control messages. Such capacity enables an attacker to communicate with a rootkit, steal data, and remain undetected while doing it.

Covert channels must be designed. They cannot be known protocols or software designs. A covert channel is usually some form of extension upon an existing protocol or software communication process created in order to move hidden data.

A class of data hiding known as steganography forms the basis of many covert channels. Basically, steganography is about "hiding in plain sight." This has been popularized in movies and the press with such concepts as hiding secret messages inside digital photographs.

In this chapter, we begin our discussion of covert channels by explaining the concepts of remote command, control, and data exfiltration. Next, we launch into the topics of disguised TCP/IP protocols, kernel TCP/IP support for your rootkit, and raw network manipulation. We introduce NDIS and TDI mechanisms you can use to send and receive network data to and from a Windows kernel driver. Armed with this knowledge, you should be able to create a rootkit that lets you move in and out of data networks without being detected.