Loki
advICE :Intrusions : 2000112

Summary

Suspicious activity indicative of a backdoor/rootkit was seen.

Details

Loki is a covert-channel client/server program published in the online publication Phrack. This program is a working proof-of-concept to demonstrate that data can be transmitted somewhat surreptitiously across a network by hiding it in traffic that normally does not contain payloads. The example code can tunnel the equivalent of a Unix RCMD/RSH session in either ICMP echo request (ping) packets or UDP traffic to the DNS port. This is used as a back door into a Unix system after root access has been compromised. Presence of LOKI on a system is evidence that the system has been compromised in the past.

Defense

ICMP should be strongly filtered at borders. Unfortunately, Loki can use ICMP ECHO REPLIES. This means that if you allow out-bound pings, but block inbound pings, Loki can still communicate.

If you suspect that the system has been compromised, the "netstat" command can be used to see if there are any "raw" sockets listening.

Spoofing

An initial spoofed packet is sometimes used to initiate the connection.

Trigger

This is a state-based signature that tracks an ICMP connection over time; it is not triggered by a single packet.

configuration for this item icmp.maxcnt 100 This intrusion detection is triggered if the number of ICMP frames per second (excluding ECHO frames) exceeds this count.

 
Version appeared: 3.0