Loki (cont.)
¨can only be detected via the presence of Loki daemon  process running as root on the victim and the presence of bidirectional ICMP traffic
¨Can disguise its packets as DNS queries and responses by running over UDP port 53
¨Supports protocol-switching by typing “/swapt” on client  to toggle between ICMP and UDP port 53
¨Supports encryption of  ICMP payload information