As stated earlier, communication between a rootkit and its controller is by far the most likely cause of rootkit detection. To minimize the possibility of detection, the Ghost rootkit initiates the remote control connection when the driver is first loaded. This requires the remote controller to listen on a predetermined port and spawn a control thread for each new connection.
Depending upon the level of stealth required, the connection can be intermittent (e.g., every ten minutes), low level (e.g., TDI), disguised (e.g., formatted as HTTP), or configured in any number of ways to conceal the communication channel. In a friendly environment, you might only wish to avoid personal firewalls, in which case an undisguised TDI connection will suffice. In an unfriendly environment, you may need to put the network interface card (NIC) into promiscuous mode and monitor communications to a fictitious address. The possibilities are endless.