Detection of an Imperceptible HTTP-Based Covert Channel
摘要
Rootkits are commonly employed by attackers to gain control over compromised computers. Once deployed, these rootkits necessitate communication with the attacker to receive commands and transmit execution results. Recognizing and obstructing this communication is a crucial strategy employed by organizations to counteract rootkits. Consequently, attackers must establish a covert communication channel with the rootkit that is both reliable and impervious to detection. This paper unveils a rootkit implementation featuring an imperceptible covert channel based on HTTP. The implemented covert channel underwent comprehensive testing and evaluation using state-of-the-art intrusion detection tools. The results indicate that, despite its minimal complexity, the covert channel remains elusive to conventional intrusion detection systems. Additionally, we introduce a detection mechanism for this covert channel, addressing this security vulnerability and advocating for its seamless integration into existing security frameworks.