Feeds

Rootkits on routers threat to be demoed

Networks own3d

Next gen security for virtualised datacentres

Updated Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers.

Sebastian Muniz, of Core Security, plans to demo Cisco IOS rootkit software he developed during a presentation at the EuSecWest conference in London on 22 May.

Rootkits are malicious packages used to hide the presence of malware on compromised systems. Generally such packages are designed to allow Trojan backdoors on desktop computer or servers to escape detection by anti-virus scanners. The technology started off in the toolboxes of Unix hackers, but over the last three or four years, it has become more commonly associated with compromised Windows systems. The issue of Windows rootkits rose to public prominence after Sony BMG Music (rather inadvisedly) used rootkit-like technology in a bid to prevent unauthorised CD copying.

Muniz's is reckoned to be the first researcher to apply rootkits to systems running Cisco IOS software. His work builds on the pioneering work of security researcher Michael Lynn, who controversially demonstrated interactive shell code for Cisco’s proprietary Internetworking Operating System (IOS) during Blackhat 2005.

Muniz has developed techniques for applying rootkit technology to embedded systems, such as routers running Cisco IOS. He is due to repeat a demo of his software at the Black Hat conference in Vegas in August, as an abstract for his proposed talk explains.

Different ways to infect a target IOS will be shown like run-time patching and image binary patching. To discuss the binary patching technique from a practical point of view, a set of Python scripts that provides a the methods to insert a generic rootkit implementation called DIK (Da Ios rootKit) will be introduced and it's done in plain C for IOS. Also other techniques like run-time image infection will be discussed in detail.

"An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems," Muniz told IDG. Hackers hoping to plant the rootkit would first need to obtain admin login credentials so that they could install software on networking devices, perhaps by using a separate exploit. But once planted such rootkits could be used to carry out all sorts of mischief.

Muniz doesn't intend to release his software. He hopes his talk will dispel the belief that rootkits for networking kit are impossible in the same way that Lynn's talk showed how it might be possible to plant malware onto routers. Muniz explained: "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken". ®

Update

In a statement sent to subscribers of Cisco's security mailing list early on Friday the networking giant said it was closely monitoring Muniz's rootkit research, which he has shared with the IT heavyweight. Cisco downplayed talk about possible exploits based on the approach while advising network admins to follow best practice in securing their systems.

The Cisco PSIRT is aware of new, ongoing research on the topic of third party malicious code (also known as "rootkits") running on Cisco IOS devices. Cisco Systems is currently in the process of analyzing the information available to us on the issue. We will update this security response as more information becomes available.

As of the time of this posting, there has been no indication of the discovery of a new vulnerability in Cisco IOS. To the best of our knowledge, there is no exploit code available and Cisco Systems has not received any customer reports of exploitation.

Cisco recommends following industry best-practices to improve the security of all network devices. Risks against Cisco IOS devices can be mitigated by following the best practices detailed in the document titled "Cisco Guide to Harden Cisco IOS Devices", which is available here.

Cisco went on to thank Muniz and Core Security for working with it "towards the goal of keeping Cisco networks and the internet, as a whole, secure".

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.