Skip to main content

What Is an Internet Covert Channel?

Covert channel 28aug16 en

A covert channel is an evasion or attack technique that is used to transfer information in a secretive, unauthorized or illicit manner. A covert channel can be used to extract information from or implant information into an organization. An Internet covert channel is the digital equivalent of a briefcase with a secret compartment that a spy might use to slip sensitive documents past security guards into or out of a secure facility. An attacker can use Internet covert channels to transmit sensitive documents unobserved – in this case, bypassing network security measures rather than bypassing security guards. And just as a spy can use that same secret compartment to conceal a weapon from security guards when entering a secure facility, an attacker can use an Internet covert channels to conceal a cyberweapon, for example, a download of malware from an external server onto a host within an organization’s private network.

Basics of Internet Covert Channels

Internet covert channels can use conventional Internet protocols in unconventional ways. The channel endpoints – an infected computer and the attacker’s command and control computer – must use this evasion or attack software that recognizes and processes these unconventional techniques. Either a user or malware can install this software, or an attacker can install the software using a remote administration tool (RAT). Internet covert channels are different from encrypted tunnels. They can and do transfer information in plain text, but they’re unobserved. While they do not require encryption methods or keys, certain covert channels employ encryption or other means to obfuscate data.

Let’s look at two techniques. The first technique involves transmitting information covertly, one character at a time, in the identification field (ID) of the Internet Protocol (IP) header. Popular implementations of this technique multiply the ASCII values of each character by 256 to create 16-bit values for this ID field. To transmit the acronym “ICANN,” the sender would send 5 IP packets, with the ID field encoded as follows:

Packet ASCII decimal value IP ID field (multiply by 256)
1 71 (“I”) 18176
2 67 (“C”) 17152
3 65 (“A”) 16640
4 78 (“N”) 19968
5 78 (“N”) 19968

The receiving computer then decodes the IP ID field by dividing the value by 256. These values are not suspicious, and because IP tolerates duplicate packets, this traffic is likely to evade detection. It’s slow, but stealthy.

A second technique involves creating a covert channel that uses a protocol payload – the information that a protocol transfers between computers. This technique appends data to the ECHO request and response messages of the Internet Control Message Protocol (ICMP). ECHO is commonly used for a service called ping. Because network administrators commonly use ping to test whether a remote host is reachable, ICMP ECHO traffic is likely to bypass security measures such as firewalls.

MAC HEADER
(e.g., Ethernet)
Internet Protocol Header
(Protocol Control Information)
ICMP Header
(ECHO Request/Reply)
ICMP Payload
(Covertly transmitted data)

If you’re curious to learn more about these techniques, read SANS IDFAQ on Covert Channels and Covert Channels over ICMP [PDF, 740 KB].

Next Up: DNS Covert Channels

The Domain Name System (DNS) protocol has several characteristics that make it attractive for covert channel use. Firewalls allow DNS traffic to pass in both directions. It’s common to overlook or underestimate the risk of the DNS being used as a covert channel, so organizations or Internet service providers don’t always inspect DNS traffic for signs of attacks. Before login or paywall functions can complete, DNS traffic is sometimes passed to the public Internet to resolve domain names, so a DNS covert channel becomes useful for bypassing these access controls.

In our next post, we’ll look at how DNS covert channels can be used to exfiltrate data, bypass paywalls or download malware.

Comments

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."