Synful Knock questions...

Jake Mertel jake.mertel at ubiquityhosting.com
Tue Sep 15 18:40:39 UTC 2015


Reading through the article @
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html,
I'm lead to believe that the process(s) they overwrite are selected to
cause no impact to the device. Relevant excerpt:

###
Malware Executable Code Placement

To prevent the size of the image from changing, the malware overwrites
several legitimate IOS functions with its own executable code. The
attackers will examine the current functionality of the router and
determine functions that can be overwritten without causing issues on the
router. Thus, the overwritten functions will vary upon deployment.
###

So, if the device in question isn't using OSPF, then the malware may
overwrite the code for the OSPF process, allowing them to A) infect the
device; B) cause no disruption to the operational state of the device
(since, presumably, OSPF isn't going to be turned on); and C) keep the
image firmware file size the same, preventing easy detection of the
compromise.



--
Regards,

Jake Mertel
Ubiquity Hosting



*Web: *https://www.ubiquityhosting.com
*Phone (direct): *1-480-478-1510
*Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054


On Tue, Sep 15, 2015 at 11:15 AM, <eric-list at truenet.com> wrote:

> I'm sure most have already seen the CVE from Cisco, and I was just reading
> through the documentation from FireEye:
>
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.htm
> l
>
> Question is that it looks to me like they are over-writing the ospf
> response
> for "show ip ospf timers lsa-group"?
> And if that's the case I'm guessing the router would need to have ospf
> enabled to be able to see the response?
>
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
> F: 610-429-3222
>
>
>
>
>



More information about the NANOG mailing list