en

What Is an Internet Covert Channel?

29 August 2016

Dave Piscitello

In addition to the U.N. six languages, this content is also available in

null

A covert channel is an evasion or attack technique that is used to transfer information in a secretive, unauthorized or illicit manner. A covert channel can be used to extract information from or implant information into an organization. An Internet covert channel is the digital equivalent of a briefcase with a secret compartment that a spy might use to slip sensitive documents past security guards into or out of a secure facility. An attacker can use Internet covert channels to transmit sensitive documents unobserved – in this case, bypassing network security measures rather than bypassing security guards. And just as a spy can use that same secret compartment to conceal a weapon from security guards when entering a secure facility, an attacker can use an Internet covert channels to conceal a cyberweapon, for example, a download of malware from an external server onto a host within an organization’s private network.

Basics of Internet Covert Channels

Internet covert channels can use conventional Internet protocols in unconventional ways. The channel endpoints – an infected computer and the attacker’s command and control computer – must use this evasion or attack software that recognizes and processes these unconventional techniques. Either a user or malware can install this software, or an attacker can install the software using a remote administration tool (RAT). Internet covert channels are different from encrypted tunnels. They can and do transfer information in plain text, but they’re unobserved. While they do not require encryption methods or keys, certain covert channels employ encryption or other means to obfuscate data.

Let’s look at two techniques. The first technique involves transmitting information covertly, one character at a time, in the identification field (ID) of the Internet Protocol (IP) header. Popular implementations of this technique multiply the ASCII values of each character by 256 to create 16-bit values for this ID field. To transmit the acronym “ICANN,” the sender would send 5 IP packets, with the ID field encoded as follows:

Packet ASCII decimal value IP ID field (multiply by 256)
1 71 (“I”) 18176
2 67 (“C”) 17152
3 65 (“A”) 16640
4 78 (“N”) 19968
5 78 (“N”) 19968

The receiving computer then decodes the IP ID field by dividing the value by 256. These values are not suspicious, and because IP tolerates duplicate packets, this traffic is likely to evade detection. It’s slow, but stealthy.

A second technique involves creating a covert channel that uses a protocol payload – the information that a protocol transfers between computers. This technique appends data to the ECHO request and response messages of the Internet Control Message Protocol (ICMP). ECHO is commonly used for a service called ping. Because network administrators commonly use ping to test whether a remote host is reachable, ICMP ECHO traffic is likely to bypass security measures such as firewalls.

MAC HEADER
(e.g., Ethernet)
Internet Protocol Header
(Protocol Control Information)
ICMP Header
(ECHO Request/Reply)
ICMP Payload
(Covertly transmitted data)

If you’re curious to learn more about these techniques, read SANS IDFAQ on Covert Channels and Covert Channels over ICMP [PDF, 740 KB].

Next Up: DNS Covert Channels

The Domain Name System (DNS) protocol has several characteristics that make it attractive for covert channel use. Firewalls allow DNS traffic to pass in both directions. It’s common to overlook or underestimate the risk of the DNS being used as a covert channel, so organizations or Internet service providers don’t always inspect DNS traffic for signs of attacks. Before login or paywall functions can complete, DNS traffic is sometimes passed to the public Internet to resolve domain names, so a DNS covert channel becomes useful for bypassing these access controls.

In our next post, we’ll look at how DNS covert channels can be used to exfiltrate data, bypass paywalls or download malware.

Dave Piscitello