* a pseudofile that resides in memory
* use standard file functions
* cannot be larger than 424 bytes when sent between computers
* can broadcast messages within a domain
Mailslots are an SMB-based IPC mechanism that dates back to Microsoft LanManager (LANMAN).
I could see using mailslots as a mechanism to disguise traffic and potentially thwart NIDS. SMB broadcast traffic is considered "noise" by a lot of admins and might well be excluded from traffic monitoring to prevent "chatty" traffic from filling the logs. Using mailslots, as opposed to rolling a custom broadcast-based protocol, makes the traffic sink into the normal SMB noise floor.
There have been vulnerabilities found in the code handling mailslots, but the protocol itself is just a mechanism to do broadcast-based communication. It's old and crufty, dating back to the DOS LanManager days, but I'm sure there are applications out there that still rely on the functionality and, as is typical for Microsoft, the API still exists in modern Windows versions. (The NetBIOS "Browse List" functionality that powered "Network Neighborhood" uses this protocol, for example.)
I'm wondering if government agencies like the CIA, NSA and their counterparts in other countries look for vulnerabilities in programs but never report them to the vendors for fixing but instead catalog them for possible use in future exploits.
(actually, I'm not really wondering, it's probably naive to assume they wouldn't)
http://msdn.microsoft.com/en-us/library/windows/desktop/aa36...