Many rootkits set up a communication channel and then listen for commands sent to a specific port, or monitor all network traffic looking for special patterns from a controller. The benefit of these designs is stealth, because just listening is difficult to detect. Unfortunately, this design can be defeated at the corporate firewall by disallowing incoming connections. The rootkit developed in this chapter will bypass this problem by initiating the controller connection during initialization.
Only a few years ago, an outgoing connection initiated during the boot process would have raised suspicions. Even now, an outgoing connection using anything other HTTP-formatted packets from port 80 or 443 can raise suspicions, but today’s software has become very reliant upon the Internet, and checking for updates over the Internet has become so common that outgoing HTTP and HTTPS connections initiated during the boot process shouldn’t raise unwanted suspicion.