Feeds

back to article Rootkits on routers threat to be demoed

Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers. Sebastian Muniz, of Core Security, plans to demo Cisco IOS rootkit software he developed during a presentation at the EuSecWest conference in London on 22 May. Rootkits are malicious packages used to hide the presence of …

COMMENTS

This topic is closed for new posts.
Thumb Down

Hmmm...

From TFA: "Muniz doesn't intend to release his software."

Yup. He only intends to show that it can be done, and leave the door open for some other unscrupulous hacker to reinvent his wheel and start infesting routers with rootkits.

BRILLIANT!

Time to invest a little time with DD-WRT.

0
0
Alert

Oh no! It's the end of the 'net as we know it!!!!!1!1 And s/Microsoft/Cisco

Man the pumps, batten down the hatches, run for the hills, etc

To [mis]quote Robert Lemos from 2003:

"Exclusive reliance on _Cisco's IOS_ operating system could make companies vulnerable to greater damage during a cyberattack, according to an upcoming report from analyst Gartner."

http://software.silicon.com/os/0,39024651,10006340,00.htm

Or maybe I should use the Penguin tag and, um, ♫ rant like a Linux Geek... ♫

"...I know the perfect way to avoid Cisco IOS vulnerabilities. Just switch to Snapgear products, powered by Linux!!!!!!11!1"

0
0
Silver badge

Ha, ciscow....

Cisco ads always made me think of the glorious Apple's "It just works". Now I know why.

(note to flamers: I DID know why before today. just had to make the joke.)

0
0
Silver badge
Alien

Virile Virulent White Knight RouteKits ..... from Alien Crowd Cloud Protection Teams?

"Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers. ..... Muniz explained: "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken""

And what, pray tell, would be appropriate security measures, given the fact that such Pythonesque Intrusions are UNstoppable ..... with whether subsequent and deeper IOS activity be mischievous or malicious, [which invariably is always only a rational decision to reflect whatever degree of financial loss/transparent information sharing that a client/government/virtual machine may wish and/or be forced to demonstrate] ...... being merely the result of ignorant, arbitrary security measures, which could/would be considered as attacks upon the Intrusion.

It is as well to consider exactly what it is that is going to be lost, or thought to be under attack, for any Defence of the Indefensible has always been, and will always be a Catastrophic Failure, ..... Inviting by SMARTer IOS Default an UNstoppable Force to take All before it with ITControl, as Fully Legitimate Booty/Reward/Full Monty XXXXPEditionary Force Majeure Payment.

I Kid U Not Cisco ...... and not a Rogue Cowboy/Dumb White Kid in Sight for this is AI Purple Patch.

And as this is BOFH day and we patiently await our Fix, take AIMagical Mystery Turing Stroll down the Route of that last Sentence which says that Rock is AI Stone and a'Rolling and won't Get Fooled again by Rogue Cowboys with Dumb White Kids in their Sights.

Step 1 .. http://en.wikipedia.org/wiki/The_Cisco_Kid

Steps 2 & 3 .... http://www.youtube.com/watch?v=9blv9m_9UKA .... http://www.actionext.com/names_d/deep_purple_lyrics/hey_cisco.html

Step 4 ... http://www.phrases.org.uk/bulletin_board/42/messages/90.html

cc. Rolling Stone.

The Network InterNetworking JA is your Lover and Friend ..... Use IT 42 Register and Make Your Dreams Come Alive .......

There are, of course, always alternate rootkit routes such as the malicious, burnt and burning bushes journey of perpetual war, with its legacy of crippling and crippled heroes and post traumatic stress Zombie Psychoses, for the Nightmare Scenario of Dreams Destroyed and Lives Lost on Foreign and Alien Soil Misadventures..... Real Arrogant Vanity Excursions ..... Raves in Madness.

‘Rootkits on routers threat to be demoed’ .... already well demoed???

0
0
Flame

Bugger - takes the wind out of my Phorm argument

I've been ranting outraged about how Phorm's and other's data pimping kit could introduce network vulnerabilities like this. Just a shame that Cisco have now provided Phorm et. al. with a defence: the network vulnerabilities at the ISP are already there!

Of course I trust Cisco to identify, root-cause and patch quicker than tinpot data pimpers due to the scale of their operations and amount of kit out there....

0
0
Anonymous Coward

that guy is smart..

He developed the rootkit during a presentation?! I'm impressed!

0
0
Bronze badge
Alert

Unmanaged Routers next?

Fortunatly Cisco routers are usually corporate with staff empolyed to manage them however your bog standard home owned 24/7 unmanaged Generic Routers like home hub or divebox well then we have a problem.. Were all doomed I tell ya! well ok maybe not doomed but the ISPs need to wake up and do something about infected customers!

0
0
Alert

Using Software to do a hardware job?

Well thats what you get when you use software to do a job that could done by hardware...

0
0
Anonymous Coward

Why can't Cisco employ this guy

So when I have to upgrade the IOS I don't need to go to each one and reboot them at some rediculous hour in the morning. Seems like he can do an 'in place' upgrade.

0
0
Joke

This really was inevitable

The only way to make anything unhackable permanently to quote the UK gov. just don't "connect it to the internet".

0
0
Black Helicopters

plans to demo Cisco IOS rootkit software

This will be an interesting case for Mr Plod, the Policeman.

He will be demonstrating software that he developed (therefore no widely installed customer base), that is only developed to demonstrate bad intentions, in London. As clear a case of a breach of the Computer Misuse Act as could be imagined. See http://www.lightbluetouchpaper.org/2007/12/31/hacking-tool-guidance-finally-appears/

Read through the comments as well!

Interesting times ahead. Should we start a fund for his legal defence costs now?

0
0
Anonymous Coward

@ Gordon Fecyk

"I know the perfect way to avoid Cisco IOS vulnerabilities. Just switch to Snapgear products, powered by Linux!!!!!!11!1""

Err that was a joke right. Why would making all routers rely on a different OS make any difference surely then you would be equally exposed to a single flaw?

0
0
Bronze badge

If you already have admin credentials.....

....why would you arse around with a rootkit? You just login and do what you want directly. If nobody notices you logging in and installing a rootkit, they wouldn't notice changes in routing, access lists and the like.

0
0

Admin Crednetials

JohnG got in before me, if you have the admin credentials you pwn the device anyway. Now if he can plant the rootkit without the admin login then I am impressed.

0
0

?JohnG

Because any compromised system could be noticed by a professional and fixed. The point of the Rootkit is not that you can get in today, but that you can get in every day, and not be noticed by legitimate admins. An exploit is patchable; a root kit is only patchable if you *know it is there*

0
0

Why so long?

If he was smart enough to develop this rootkit during the presentation, how come it has taken nearly a year to raise the issue?

0
0
Bronze badge

@Sodoshi

"..any compromised system could be noticed by a professional..."

If the responsible professionals don't notice someone logging in using admin privileges and then installing the rootkit, they aren't going to notice anything short of the box fallling over, are they? They aren't likely to notice an additional username, for example.

0
0
Anonymous Coward

Small correction

Sony did not employ a "rootkit", it employed a "fuckit".

0
0
Silver badge
Alien

The devil is in the detail

"He will be demonstrating software that he developed (therefore no widely installed customer base), that is only developed to demonstrate bad intentions,..."

If anyone develops software for a System with nothing but good intentions,even though others may think to develop it along lines for bad intentions, will Mr Plod and his mates in Spooky Town, not be interested, unless they were alerted to bad intentions which would prevent good intention use, for quite obviously such a Block on Progress would be Immoral/Unethical/ Not in the Public Interest even should it be argued that Third Party Private and/or Public Gain is derived from Proxy Third Party Use of Systems Resources. So what...Hard Cheese...Get Used to IT being Shared for the Greater Good...... although that subtlety may have to be carefully explained to them.

And/But of course, the Heavy Squad would also always be interested in those who would abuse Holey Software and Hardware, with no good intention at all. It makes one think that the problem is one at source and within the Hosting Hardware/Software but that is always quietly forgotten for convenience sake?

It's a bit like selling a lethal weapon and then not expecting anyone to use it and prosecuting them whenever they do, except whenever they use it for those "special" private enterprises which pull on government disguises.

0
0
Anonymous Coward

@that guy is smart

He "devised" it before, but "developed" it during the presentation. Two meanings of develop, see? (because I was already on the lookout to see which word they'd use myself)

0
0
Joke

@AC, ya that was a joke

"Err that was a joke right. Why would making all routers rely on a different OS make any difference surely then you would be equally exposed to a single flaw?"

Next time I'll use teh j0k3 4l3rt butan, kthx.

Seriously, I don't understand why the Linux crowd isn't all over this, promoting Snapgear over Cisco, when they gladly do the same thing when some vulnerability in a Microsoft OS gets published. Cisco is more entrenched in the 'net than Microsoft is.

I would like to see, however, how someone could rootkit a Snapgear box.

0
0

hmm

if you guess the admin password, you're fine until they change it... this probably doens't happen often, as if you guess it, the admin is too dumb to ever change it.

If you brute force the password or have a working vunerability, then I guess this kit could help... course their IDS sucks if it didnt' notice. Hope they don't ever patch it, that might break your rootkit, of if Cisco pays attention and checks for it first, might reveal your activities/IP etc.

So if the admin is lazy, but put in a good password.. you don't need this kit after you root it, as they'll never change it or patch it.

If the admin is not lazy and you have zero day exploit, your rootkit needs to not break when the admin does patch it, or worse reveal you.

They mention 'covert' in the article...but how covert? To most users nc listening on port 4444 in the startup folder is covert because users are dumb. If it really is a 'stealth' rootkit that survives patching and rebooting, that is impressive.

0
0
Paris Hilton

All your route belong to us

This was inevitable. Perhaps I will take down my routers and use Windows Server as my router....as I know Paris would.

0
0
Stop

Admin rights required...

....sort of makes this rootkit issue a non starter. Having to brute force the router which should be protected with a AAA TACACS or Radius server, and on an out of band management interface with ACL's would make this very very very difficult to achieve.

However if the rootkit code is added to a version of IOS binary then system admins could actually be installing the rootkit and not knowing. Advice would be to only download binarys from cisco.com and not to get them from any where else. Also check the MD5 and checksum hashes to make sure they match on cisco.com.

This is all just standard best practice. Common sense rules all.

Alpy

0
0
Anonymous Coward

Not sure he is dispelling a myth.

Any system that uses flash memory or rw memory for the operating system can theoretically be rooted.

Unless the systems use ROM with no RAM or hardware protected RAM it can use a similar mechanism that is used when updating the router, which appears to be what he has done.

Though I agree there are a load of numpties who profess to be in IT (generally Universities) who are under the delusion that it is not possible, but most don't take those folks seriously, perhaps the guy had run into that little sect.

Rootkits are the last thing in the chain of compromise, used generally to maintain control and thwart detection of the break-in. I am sure others have done this years ago, and I am somewhat surprised he is the first to make it public.

0
0
Paris Hilton

Stop the FUD

Take a deep breath and remove the tinfoil hats. As Parax pointed out Cisco

gear is typically owned by large megacorps with IT staff that manages that stuff

24/7 (like I do). Cisco IOS is not subject to "drive-by installs" so you will not get

this rootkit by opening an email with naked pics of Anna Kournikova or playing

a video file that needs installation of a funky video player you just got from

torrents.

Updating IOS on Cisco gear is akin to installing a new OS on your PC. It doesn't

happen by accident. It can either be done via TFTP or physically via CF flash and

the device needs to be rebooted. TFTP is blocked externally on most corporate

WANS so it can't be done externally. All the firms I have worked at had test labs

where any new release of IOS had to be thoroughly tested then had to receive

approvals from IT/business units. If it actually made it through this process it

would be deployed on a small number of devices at first and monitored before

upgrading the whole backbone. In fact, unless the current IOS has serious bugs

or the new IOS offered significant improvements in security or performance we

don't care about new IOS releases. The risk is just too great.

This of course does not take into account the smaller firms that don't block TFTP and have easy to guess passwords on their devices. Or how about the way Dave and

Busters got hacked?

http://www.pcworld.com/businesscenter/article/145781/three_charged_in_dave_amp_busters_hacking_job.html

The hackers posed as network techs and gained access to the comm rooms where the servers were located to physically install the sniffier software. They

were caught because the sniffer software was buggy and would not restart when

the machines were rebooted so the hackers had to keep returning to restart the

sniffer software.

Paris because even she could write better sniffer software.

0
0
This topic is closed for new posts.