Cost Effective Cisco IOS Rootkits Possible

Wednesday, October 14, 2015 @ 03:10 PM gHale

While sophisticated attacks occur all the time, but is it possible to develop rootkits for devices running Cisco IOS that does not require advanced knowledge or heavy duty resources, a new paper reported.

The “SYNful Knock” malware ended up discovered last month on hundreds of Cisco routers. Attackers planted the threat not by exploiting software vulnerabilities, but by using stolen administrative credentials and a legitimate feature that allowed them to replace the legitimate firmware with a malicious version.

Patched Cisco Web VPNs Hit by Attack
Cisco Tool to Detect Router Attacks
Smart Attacks Break into Routers
Cisco Working on Security Appliances Holes

After the existence of SYNful Knock came to light, researches said it had to be the doing of a well-funded nation state.

However, researchers at penetration testing company Grid32 believe it doesn’t take the resources of a nation state or a high tech think tank to develop rootkits for IOS, the software running on most Cisco routers and switches.

They published a paper detailing the creation of a basic IOS rootkit they said could be at least as sophisticated as SYNful Knock.

Grid32 believes a Cisco IOS rootkit can end up created in a month or less, which includes studying PowerPC assembly, learning disassembly, and writing and debugging code.

“Yes, it is time consuming finding and figuring out the functions via tracing, debugging, and string references but certainly very possible. There is no magic involved, no need for nation states to be the source of the code, and no secret advanced techniques involved,” said the Grid32 paper. “Binary modification to the firmware of a Cisco device running IOS merely involves basic coding skills, knowledge of assembly language for the target architecture, a base level knowledge of disassembly, combined with time and interest.”

In a blog post, Cisco said SYNful Knock is not the first piece of malware targeting devices running IOS. Cisco is currently aware of six malware incidents targeting such devices and SYNful Knock is just the latest in a series of attacks observed by the company since 2011.

Cisco implemented various new security technologies in current devices, including secure boot, trust anchor modules, and image signing capabilities. While these systems should significantly reduce the likelihood of success for attacks like SYNful Knock, the networking giant said users will also have to take some steps on their end, such as following best practices and fully utilizing available security tools.

Cisco did say the Grid32 whitepaper describes modifications made to firmware for legacy products (Cisco 2600) and does not take into account the new security enhanced devices.