|Today's lesson is 'Why it's good that RavenBlack is not a naughty hax0r'. The lesson begins with rootkits. The thing about rootkits is that they must make it difficult to tell that they are present. A common way to do this is by having the kit reside in the kernel, thus hiding it from any of the command-line processes. However, such a kit can still often be detected by an external port-scan. Also, when connecting to the machine, Mr Hax0r could never be sure that he is not being monitored, perhaps by an external transparent firewall. Two solutions to this quandary spring to mind, for me. One is to have the rootkit triggered by an ICMP packet of a particular size (and perhaps content). The other would be to have a DNS-response-packet be the trigger, which is doubly sneaky because the DNS-response
needn't come from Mr Hax0r - his triggering action would be to fake a DNS-request from the victim's port X, asking about an owned IP. The triggering packet, then, would not come from the Hax0r, but rather, from a perfectly legitimate DNS server. Such would get through many firewalls unnoticed, even.