Initiating the Connection

Previous page
Table of content
Next page

Many rootkits set up a communication channel and then listen for commands sent to a specific port, or monitor all network traffic looking for special patterns from a controller. The benefit of these designs is stealth, because just listening is difficult to detect. Unfortunately, this design can be defeated at the corporate firewall by disallowing incoming connections. The rootkit developed in this chapter will bypass this problem by initiating the controller connection during initialization.

Only a few years ago, an outgoing connection initiated during the boot process would have raised suspicions. Even now, an outgoing connection using anything other HTTP-formatted packets from port 80 or 443 can raise suspicions, but today’s software has become very reliant upon the Internet, and checking for updates over the Internet has become so common that outgoing HTTP and HTTPS connections initiated during the boot process shouldn’t raise unwanted suspicion.



Previous page
Table of content
Next page
Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Junos Cookbook (Cookbooks (OReilly))
Extending and Embedding PHP
Python Programming for the Absolute Beginner, 3rd Edition
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy