Covert remote syscall communication at kernel level: A SPOOKY backdoor

Malware today often uses very sophisticated methods to avoid being detected on the victim machine itself. However, hiding the actual communication between an attacker and his malware is often neglected by malware authors. As a consequence, intermediate hosts inspecting the incoming and outgoing traffic of the victim host may be able to detect the infection. In this paper, we describe a proof-of-concept server backdoor which hides the in- and exfiltration of data in incoming and outgoing benign traffic of the victim server. Using a low-traffic system call proxy, our backdoor allows the remote execution of arbitrary programs on the victim server without being detectable by network intrusion detection systems. We implement our proof-of-concept backdoor using the HTTP protocol´s Cookie-header and evaluate it against the SNORT network intrusion detection system. In addition, we show how to use other widespread services such as SSH, IPsec, and OpenVPN to conceal the attacker´s communication and briefly discuss countermeasures.