0

When studying the behavior of trojans and (RAT) Remote Access Trojans this question came up.

Can an attacker create a trojan that could trick the OS or the NIC into hiding a remote connection to a computer so tools like Wireshark or Process hacker that can look at things such as active, listening, established connection wouldn't be able to see a remote connection to it so the attacker could make something like an invisible backdoor?

I know one way of accomplishing "invisibility" would be to encrypt a connection with IPsec so the whole packet payload+header would "hide" its identity even though a router would still know where it came from, I would like to know if is it possible to make a established connection "invisible" to Wireshark analysis.

1 Answers1

1

I the attacker has compromised the machine on which you are running the analyzer, then anything can be hidden from the analyzer.

If the analyzer is running on a separate computer acting as a router on the path between the compromised machine and the remote machine, then the traffic cannot be hidden from the analyzer. The communication can make use of techniques such covert channels or steganography to make it difficult for you to see what is happening.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • Thank you for the answer! So a connection can never be truly "invisible" if an analyzer is in place.. but it can be made difficult to analyze it if evading techniques such as covert channels and steganography are in place. –  Jan 21 '16 at 15:48