[ISN] Cisco router rootkit 101

From: InfoSec News (alerts@private)
Date: Wed May 28 2008 - 00:14:01 PDT


By Joab Jackson

A security researcher has demonstrated how to install a rootkit on Cisco 
routers through the router's Internetwork Operating System (IOS).

Core Security's Sebastian Muniz demonstrated [1] the rootkit last week 
at the E.U. Security West Conference in London.

Rootkits are nothing new for desktop PCs, but thus far none had been 
successfully written for network routers. In an alert [3] issued earlier 
in the month, Cisco acknowledged Muniz's work but also stated that the 
company had not seen any exploit code in the wild that uses the 
technique. The advisory also instructed administrators how to protect 
against such a theoretical attack.

Muniz has not posted his presentation notes yet, though according to an 
account posted on the mailing list for the North American Network 
Operators Group [3], Muniz's approach involves making and downloading an 
image of the operating IOS, altering the portion dealing with log-in 
passwords, and then uploading the altered image onto the flash memory of 
the router.

Although Muniz used the Cisco operating system, the approach could also 
be used for routers from other companies, he said in an interview on the 
conference Web site [4].

[1] http://www.eusecwest.com/sebastian-muniz-da-ios-rootkit.html
[2] http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml
[3] http://www.merit.edu/mail.archives/nanog/msg08393.html
[4] http://eusecwest.com/sebastian-muniz-da-ios-rootkit.html

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Wed May 28 2008 - 00:20:08 PDT