The possibility of covert channels and information hiding (steganography) within other pieces of information seems to be endless. This time, these guys show us the possibility to hide information in SIP, RTP and RTSP packets within others. The amazing thing is that for most of the people these protocols don’t ring a bell, but in reality, applications such as video streaming and voice over IP rely on them. This means that covert channels could be created in apparently innocuous phone calls and in video transmissions over the net. The danger escalates even further when you start thinking of the endless possibilities of these type of cummunication. Indetectable botnets that communicate through multicast networks of triple play providers or simply dangerous information passing through a Skype call.
From personal experience working on designing certain mechanisms in triple play networks, tons of ideas for practical (legal and illegal) applications come to my mind. Just as an example, imagine your internet + TV + phone provider wanting to spy on you without you finding out. You get shipped with a state of the art set top box that has every nifty feature you’ve ever wanted. However, it might also include some small modifications in its protocols as to conceal information which your provider might consider “interesting”. The chances of you finding out this is done are almost zero. Even if you try really hard to analyze the network traffic, everything will seem to working as intended.
In the case of a botnet, the master won’t even need to communicate directly with its slaves. The slaves just send their messages to the net and the master listens. He is the only one that knows what to look for. A passive sniffer in the right place is all he needs and he cannot be traced back by means of his IP or used services being disclosed by noisy machines.
Heuristic or behavior based scanner may try to detect deviations in tipical protocols. The problem here is that the protocol itself is behaving as a tipical implementation would and there would be little or no deviation. Even if deviation is detected, other techniques such as delaying messages (also explained in the article) would suffice to overrun the detection.
