The idea is pretty simple – we do not generate our own traffic (i.e. packets) but only change some fields in the packets which are normally generated by the compromised computer. Of course, that requires that the attacker control one of the computer which receives at least most of the traffic from the compromise host, like enterprise gateway, router, etc... For example, such passive covert channels can be used by malicious ISP employees to spy on ISP's customers.
This document is in PDF format. To view it click here.