The evolution of rogue code has somewhat ignored the opportunities offered by kernel network drivers. In this paper we will analyze such opportunities and demonstrate several methods of data theft and system commandeering while evading perimeter/host based security systems and operating undetected in the long term.
End node TCP/IP perversion relies on a kernel module in the data path that will passively (without initiating a network session itself) modify incoming and outgoing traffic. We will focus on the Microsoft kernel and present several ways to insert an inline network driver that will intercept, redirect and modify TCP sessions.