Summary

The examples provided in this chapter do not directly enhance the rootkit we’ve been building throughout this book. An e-mail client extension will usually log e-mail traffic to disk for eventual retrieval by a rootkit. As such, there is no interdependence between rootkits and e-mail client extensions. This allows an e-mail client extension to function completely autonomously.

Named pipes are an excellent way to alert a rootkit to decoupled activity such as e-mail filtering. If your e-mail client extension saves information to a file, the location of the file can be passed to a rootkit in a named pipe. The rootkit can then process the contents of the file as required.

Placing filtered e-mail data into a directory buffer is also a great way to transfer e-mail traffic. A rootkit can be set to periodically check the contents of a special directory and process the contents of that directory when files are discovered. However, this mechanism does require added synchronization to ensure that reading and writing do not interfere with each other.

Though e-mail client extensions will be of little value outside the corporate infrastructure, there is no better way to gather personal information from a corporate environment. If you are targeting a corporate environment, there is a high likelihood that the e-mail system will implement some form of client extension capability. This chapter has provided solutions for the two most popular servers:

• Microsoft Exchange Server for Outlook

• Domino Server for Lotus Notes

The next chapter presents basic rootkit installation techniques.