Feeds

Rootkits on routers threat to be demoed

Networks own3d

5 things you didn’t know about cloud backup

Updated Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers.

Sebastian Muniz, of Core Security, plans to demo Cisco IOS rootkit software he developed during a presentation at the EuSecWest conference in London on 22 May.

Rootkits are malicious packages used to hide the presence of malware on compromised systems. Generally such packages are designed to allow Trojan backdoors on desktop computer or servers to escape detection by anti-virus scanners. The technology started off in the toolboxes of Unix hackers, but over the last three or four years, it has become more commonly associated with compromised Windows systems. The issue of Windows rootkits rose to public prominence after Sony BMG Music (rather inadvisedly) used rootkit-like technology in a bid to prevent unauthorised CD copying.

Muniz's is reckoned to be the first researcher to apply rootkits to systems running Cisco IOS software. His work builds on the pioneering work of security researcher Michael Lynn, who controversially demonstrated interactive shell code for Cisco’s proprietary Internetworking Operating System (IOS) during Blackhat 2005.

Muniz has developed techniques for applying rootkit technology to embedded systems, such as routers running Cisco IOS. He is due to repeat a demo of his software at the Black Hat conference in Vegas in August, as an abstract for his proposed talk explains.

Different ways to infect a target IOS will be shown like run-time patching and image binary patching. To discuss the binary patching technique from a practical point of view, a set of Python scripts that provides a the methods to insert a generic rootkit implementation called DIK (Da Ios rootKit) will be introduced and it's done in plain C for IOS. Also other techniques like run-time image infection will be discussed in detail.

"An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems," Muniz told IDG. Hackers hoping to plant the rootkit would first need to obtain admin login credentials so that they could install software on networking devices, perhaps by using a separate exploit. But once planted such rootkits could be used to carry out all sorts of mischief.

Muniz doesn't intend to release his software. He hopes his talk will dispel the belief that rootkits for networking kit are impossible in the same way that Lynn's talk showed how it might be possible to plant malware onto routers. Muniz explained: "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken". ®

Update

In a statement sent to subscribers of Cisco's security mailing list early on Friday the networking giant said it was closely monitoring Muniz's rootkit research, which he has shared with the IT heavyweight. Cisco downplayed talk about possible exploits based on the approach while advising network admins to follow best practice in securing their systems.

The Cisco PSIRT is aware of new, ongoing research on the topic of third party malicious code (also known as "rootkits") running on Cisco IOS devices. Cisco Systems is currently in the process of analyzing the information available to us on the issue. We will update this security response as more information becomes available.

As of the time of this posting, there has been no indication of the discovery of a new vulnerability in Cisco IOS. To the best of our knowledge, there is no exploit code available and Cisco Systems has not received any customer reports of exploitation.

Cisco recommends following industry best-practices to improve the security of all network devices. Risks against Cisco IOS devices can be mitigated by following the best practices detailed in the document titled "Cisco Guide to Harden Cisco IOS Devices", which is available here.

Cisco went on to thank Muniz and Core Security for working with it "towards the goal of keeping Cisco networks and the internet, as a whole, secure".

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.