[Dshield] Communication when emails are being watched

Kenneth Coney superc at visuallink.com
Fri Dec 26 17:24:29 GMT 2003

If I am understanding my readings yesterday (Phrack 49, 51, et al) the Loki
and Loki2 would obviously be suitable as a covert communications method,
however those routines seem to be limited to Linux and Solaris.  Is there
something equivalent for Windows systems, (perhaps one of the ACK only
routines)?  Hypothetically a virus employing traits of Welchia would be a
perfect delivery method, i.e., generate infecting pings to random IP
blocks, port 135 or 445 until new instructions are received.  Once the
first pings are detected by the virus creator, new ping instructions could
be sent to the infected IP address.  Thereafter, the infected IP could
spend its time 20/80 between transmitting the Loki2 message to random
blocks, or replicating, while awaiting a new message instruction.  Fairly
safe for both sender and receiver as messages would be widely broadcast
worldwide with no hint as to who the actual intended recipient is.
Likewise there would be no requirement to always use the same IP address
for any new messages, as any infected IP address whatsoever could receive
new instructions and send new messages.  A counter block would probably be
somewhere in the packet so a recipient could tell an old message from a new
one.  Most of us would just see port 135 or 445 pings on our patched
firewall (about 20 here in the past hour) logs and ignore them.  Blowfish
(or similar) would offer pretty fair security even if a packet was examined.

More information about the list mailing list