Cisco Tool to Detect Router Attacks

Tuesday, September 29, 2015 @ 10:09 AM gHale

Cisco Systems created a tool that allows enterprise users to scan their networks to discover if routers suffer from SYNful Knock.

The SYNful Knock Scanner is a Python script that scans networks, looking for hosts that respond to the malware.

Smart Attacks Break into Routers
Cisco Working on Security Appliances Holes
Cisco Patches Data Center Holes
Cisco Working on Fix ISE Hole

“During its operation, the tool injects custom crafted packets at the Ethernet layer (layer 2) and monitors and parses the responses. This functionality requires that the tool be run with root privileges,” said Cisco’s William McVey.

While the scanner can help detect and triage known compromises of infrastructure, it cannot establish that a network does not have malware that might have evolved to use a different set of signatures, he said.

If the scanner finds a compromised router, it will provide instructions on what to do next. Users can also contact the Cisco Product Security Incident Response Team (PSIRT) for help.

FireEye researchers first found the SYNful Knock router implant and other researchers have found instances of compromised routers around the world.

The discovery came a month after Cisco warned about attackers replacing the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image, after gaining administrative or physical access to a Cisco IOS device.

These compromises are not the result of the exploitation of a vulnerability, but of a legitimate feature that allows network administrators to install an upgraded ROMMON image on IOS devices for their own purposes.

For more technical details and tool caveats, click here for more of McVey’s blog post.