The Connection


As stated earlier, communication between a rootkit and its controller is by far the most likely cause of rootkit detection. To minimize the possibility of detection, the Ghost rootkit initiates the remote control connection when the driver is first loaded. This requires the remote controller to listen on a predetermined port and spawn a control thread for each new connection.

Depending upon the level of stealth required, the connection can be intermittent (e.g., every ten minutes), low level (e.g., TDI), disguised (e.g., formatted as HTTP), or configured in any number of ways to conceal the communication channel. In a friendly environment, you might only wish to avoid personal firewalls, in which case an undisguised TDI connection will suffice. In an unfriendly environment, you may need to put the network interface card (NIC) into promiscuous mode and monitor communications to a fictitious address. The possibilities are endless.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net