Feeds

Rootkits on routers threat to be demoed

Networks own3d

5 things you didn’t know about cloud backup

Updated Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers.

Sebastian Muniz, of Core Security, plans to demo Cisco IOS rootkit software he developed during a presentation at the EuSecWest conference in London on 22 May.

Rootkits are malicious packages used to hide the presence of malware on compromised systems. Generally such packages are designed to allow Trojan backdoors on desktop computer or servers to escape detection by anti-virus scanners. The technology started off in the toolboxes of Unix hackers, but over the last three or four years, it has become more commonly associated with compromised Windows systems. The issue of Windows rootkits rose to public prominence after Sony BMG Music (rather inadvisedly) used rootkit-like technology in a bid to prevent unauthorised CD copying.

Muniz's is reckoned to be the first researcher to apply rootkits to systems running Cisco IOS software. His work builds on the pioneering work of security researcher Michael Lynn, who controversially demonstrated interactive shell code for Cisco’s proprietary Internetworking Operating System (IOS) during Blackhat 2005.

Muniz has developed techniques for applying rootkit technology to embedded systems, such as routers running Cisco IOS. He is due to repeat a demo of his software at the Black Hat conference in Vegas in August, as an abstract for his proposed talk explains.

Different ways to infect a target IOS will be shown like run-time patching and image binary patching. To discuss the binary patching technique from a practical point of view, a set of Python scripts that provides a the methods to insert a generic rootkit implementation called DIK (Da Ios rootKit) will be introduced and it's done in plain C for IOS. Also other techniques like run-time image infection will be discussed in detail.

"An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems," Muniz told IDG. Hackers hoping to plant the rootkit would first need to obtain admin login credentials so that they could install software on networking devices, perhaps by using a separate exploit. But once planted such rootkits could be used to carry out all sorts of mischief.

Muniz doesn't intend to release his software. He hopes his talk will dispel the belief that rootkits for networking kit are impossible in the same way that Lynn's talk showed how it might be possible to plant malware onto routers. Muniz explained: "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken". ®

Update

In a statement sent to subscribers of Cisco's security mailing list early on Friday the networking giant said it was closely monitoring Muniz's rootkit research, which he has shared with the IT heavyweight. Cisco downplayed talk about possible exploits based on the approach while advising network admins to follow best practice in securing their systems.

The Cisco PSIRT is aware of new, ongoing research on the topic of third party malicious code (also known as "rootkits") running on Cisco IOS devices. Cisco Systems is currently in the process of analyzing the information available to us on the issue. We will update this security response as more information becomes available.

As of the time of this posting, there has been no indication of the discovery of a new vulnerability in Cisco IOS. To the best of our knowledge, there is no exploit code available and Cisco Systems has not received any customer reports of exploitation.

Cisco recommends following industry best-practices to improve the security of all network devices. Risks against Cisco IOS devices can be mitigated by following the best practices detailed in the document titled "Cisco Guide to Harden Cisco IOS Devices", which is available here.

Cisco went on to thank Muniz and Core Security for working with it "towards the goal of keeping Cisco networks and the internet, as a whole, secure".

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.