A covert channel is an evasion or attack technique that is used to transfer information in a secretive, unauthorized or illicit manner. A covert channel can be used to extract information from or implant information into an organization. An Internet covert channel is the digital equivalent of a briefcase with a secret compartment that a spy might use to slip sensitive documents past security guards into or out of a secure facility. An attacker can use Internet covert channels to transmit sensitive documents unobserved – in this case, bypassing network security measures rather than bypassing security guards. And just as a spy can use that same secret compartment to conceal a weapon from security guards when entering a secure facility, an attacker can use an Internet covert channels to conceal a cyberweapon, for example, a download of malware from an external server onto a host within an organization’s private network.
Basics of Internet Covert Channels
Internet covert channels can use conventional Internet protocols in unconventional ways. The channel endpoints – an infected computer and the attacker’s command and control computer – must use this evasion or attack software that recognizes and processes these unconventional techniques. Either a user or malware can install this software, or an attacker can install the software using a remote administration tool (RAT). Internet covert channels are different from encrypted tunnels. They can and do transfer information in plain text, but they’re unobserved. While they do not require encryption methods or keys, certain covert channels employ encryption or other means to obfuscate data.
Let’s look at two techniques. The first technique involves transmitting information covertly, one character at a time, in the identification field (ID) of the Internet Protocol (IP) header. Popular implementations of this technique multiply the ASCII values of each character by 256 to create 16-bit values for this ID field. To transmit the acronym “ICANN,” the sender would send 5 IP packets, with the ID field encoded as follows:
|Packet||ASCII decimal value||IP ID field (multiply by 256)|
The receiving computer then decodes the IP ID field by dividing the value by 256. These values are not suspicious, and because IP tolerates duplicate packets, this traffic is likely to evade detection. It’s slow, but stealthy.
A second technique involves creating a covert channel that uses a protocol payload – the information that a protocol transfers between computers. This technique appends data to the ECHO request and response messages of the Internet Control Message Protocol (ICMP). ECHO is commonly used for a service called ping. Because network administrators commonly use ping to test whether a remote host is reachable, ICMP ECHO traffic is likely to bypass security measures such as firewalls.
|Internet Protocol Header
(Protocol Control Information)
(Covertly transmitted data)
Next Up: DNS Covert Channels
The Domain Name System (DNS) protocol has several characteristics that make it attractive for covert channel use. Firewalls allow DNS traffic to pass in both directions. It’s common to overlook or underestimate the risk of the DNS being used as a covert channel, so organizations or Internet service providers don’t always inspect DNS traffic for signs of attacks. Before login or paywall functions can complete, DNS traffic is sometimes passed to the public Internet to resolve domain names, so a DNS covert channel becomes useful for bypassing these access controls.
In our next post, we’ll look at how DNS covert channels can be used to exfiltrate data, bypass paywalls or download malware.