Legitimate Sites as Covert Channels:
An Extension to the Concept of Reverse HTTP Tunnels
By Errno Jones (errno :dot: jones :at: pure secure :dot: net)

STATEMENTS, ASSUMPTIONS, REQUESTS

1. Due to the lack of time, this is a summary.
2. Perhaps a proof-of-concept will follow.
3. If proof-of-concept has been implemented, please share.
4. Familiarity with reverse HTTP tunnels is assumed.

THE CROWD

The crowd is a safe harbor. It is very easy to hide something when the
environment that is used for the covert maneuver contains many other
objects of similar design.

There exist countless number of sites that let anonymous users post
messages, write text in guest books etc. These sites are the crowds.

THE COVERT CHANNEL

Any site that allows visitors to anonymously post messages and
immediately, or without verification, includes it as content can be
used to hide data to and from a reverse HTTP tunnel. Rather than
connecting and tunneling data to a specified site directly, implement
a posting mechanism to hide the communications. 

THE APPLICATIONS

Assume there exist two message boards, A and B, which allow anonymous
postings. Assume there exist two software programs, C (client) and
S (server), that can post and read data from board A and B, and B and A
respectively.

C contains unique identifiers X and Y, and runs on network E (external).
S contains unique identifiers X and Y, and runs on network I (internal).

C posts a message, containing an encoded shell command, on board A with
unique identifier X. Intermittently, C also checks board B for unique
identifier Y, and if found, reads the message, decodes the contents,
and display the output.

S intermittently checks board A for unique identifier X, and if found,
reads the message, decodes the contents, and runs the shell command.
Then, S posts a message, containing the encoded output, to board B
with unique identifier Y.

THE DATA

The data must be hidden. One possibility is to collect large
amounts of spam messages, for C, and use the case of the letters as
bit patterns, or introduce misspellings at known intervals to encode
the data. The subject of the message can contain a unique bit pattern
or misspelling that is X. For S, the large amount of text that is
needed can be obtained from man pages, strings of programs etc., and
modified as in C.

CONCLUSION

Comments and suggestions are welcome, clarifications available.