Feeds

Rootkits on routers threat to be demoed

Networks own3d

Providing a secure and efficient Helpdesk

Updated Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers.

Sebastian Muniz, of Core Security, plans to demo Cisco IOS rootkit software he developed during a presentation at the EuSecWest conference in London on 22 May.

Rootkits are malicious packages used to hide the presence of malware on compromised systems. Generally such packages are designed to allow Trojan backdoors on desktop computer or servers to escape detection by anti-virus scanners. The technology started off in the toolboxes of Unix hackers, but over the last three or four years, it has become more commonly associated with compromised Windows systems. The issue of Windows rootkits rose to public prominence after Sony BMG Music (rather inadvisedly) used rootkit-like technology in a bid to prevent unauthorised CD copying.

Muniz's is reckoned to be the first researcher to apply rootkits to systems running Cisco IOS software. His work builds on the pioneering work of security researcher Michael Lynn, who controversially demonstrated interactive shell code for Cisco’s proprietary Internetworking Operating System (IOS) during Blackhat 2005.

Muniz has developed techniques for applying rootkit technology to embedded systems, such as routers running Cisco IOS. He is due to repeat a demo of his software at the Black Hat conference in Vegas in August, as an abstract for his proposed talk explains.

Different ways to infect a target IOS will be shown like run-time patching and image binary patching. To discuss the binary patching technique from a practical point of view, a set of Python scripts that provides a the methods to insert a generic rootkit implementation called DIK (Da Ios rootKit) will be introduced and it's done in plain C for IOS. Also other techniques like run-time image infection will be discussed in detail.

"An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems," Muniz told IDG. Hackers hoping to plant the rootkit would first need to obtain admin login credentials so that they could install software on networking devices, perhaps by using a separate exploit. But once planted such rootkits could be used to carry out all sorts of mischief.

Muniz doesn't intend to release his software. He hopes his talk will dispel the belief that rootkits for networking kit are impossible in the same way that Lynn's talk showed how it might be possible to plant malware onto routers. Muniz explained: "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken". ®

Update

In a statement sent to subscribers of Cisco's security mailing list early on Friday the networking giant said it was closely monitoring Muniz's rootkit research, which he has shared with the IT heavyweight. Cisco downplayed talk about possible exploits based on the approach while advising network admins to follow best practice in securing their systems.

The Cisco PSIRT is aware of new, ongoing research on the topic of third party malicious code (also known as "rootkits") running on Cisco IOS devices. Cisco Systems is currently in the process of analyzing the information available to us on the issue. We will update this security response as more information becomes available.

As of the time of this posting, there has been no indication of the discovery of a new vulnerability in Cisco IOS. To the best of our knowledge, there is no exploit code available and Cisco Systems has not received any customer reports of exploitation.

Cisco recommends following industry best-practices to improve the security of all network devices. Risks against Cisco IOS devices can be mitigated by following the best practices detailed in the document titled "Cisco Guide to Harden Cisco IOS Devices", which is available here.

Cisco went on to thank Muniz and Core Security for working with it "towards the goal of keeping Cisco networks and the internet, as a whole, secure".

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.