<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><HTML DIR=ltr><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1"></HEAD><BODY><DIV><FONT face=Arial color=#000000 size=2>Sometime ago I
thought of the following idea for a covert channel. Although the idea of covert
channels is *not* new at all, I couldn't find anything in Google related to the
following method of implementing a covert channel.</FONT></DIV>
<DIV><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2>The scenario is the following. The
victim is a host with a host-level firewall which is blocking *all* incoming
traffic. Somehow the attacker still needs to communicate with a backdoor planted
in this host. Use a reverse shell and job done, you might say.<BR></FONT></DIV>
<DIV><FONT face=Arial color=#000000 size=2>Actually, there is another way which
I thought would be more creative (IMHO). </FONT></DIV>
<DIV><FONT face=Arial color=#000000 size=2></FONT> </DIV>
<DIV><FONT face=Arial color=#000000 size=2>It works like this: the backdoor
enables logging in the host-level firewall for all dropped packets, say Windows
XP SP2 Firewall. Then the backdoor receives commands from the attacker by
interpreting the properties of the dropped packets which were logged by the
firewall. In other words, the backdoor is constantly reading the logs and
parsing commands which were sent by the attacker embedded in packets which are
being dropped (but logged) by the firewall.</FONT></DIV><FONT face=Arial
color=#000000 size=2>
<DIV><BR>attacker sends packets -> packets are dropped by firewall ->
packets properties are captured in logs -> backdoor reads logs and
finds encoded commands -> commands are executed </DIV>
<DIV><BR>Now, for the way the backdoor would reply back to the victim is really
up to you. One method that comes to my mind is by posting the responses to a PHP
script which is located in some free-hosting webpage. The attacker would then
access this webpage.</DIV>
<DIV> </DIV>
<DIV>Please, if you know anything related to backdoors intercepting commands
from log files send me some links. Ideas, comments and flames are more than
welcome :-) .</DIV>
<DIV><BR>Regards,</DIV>
<DIV>pagvac (Adrian Pastor)<BR>Earth, SOLAR SYSTEM</DIV>
<DIV><A href="http://www.adrianpv.com">www.adrianpv.com</A><BR><A
href="http://www.ikwt.com">www.ikwt.com</A> (In Knowledge We
Trust)</FONT></DIV></BODY></HTML>