Loki (cont.)
¨can only be detected via the
presence of Loki daemon process
running as root on the victim and the presence of bidirectional ICMP traffic
¨Can disguise its packets as DNS
queries and responses by running over UDP port 53
¨Supports protocol-switching by
typing “/swapt”
on client to toggle between ICMP and UDP port
53
¨Supports encryption of ICMP payload information