Synful Knock questions...

• Previous message (by thread): Synful Knock questions...
• Next message (by thread): Synful Knock questions...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 15 Sep 2015, Jake Mertel wrote:

> Reading through the article @
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html,
> I'm lead to believe that the process(s) they overwrite are selected to
> cause no impact to the device. Relevant excerpt:
> 
> ###
> Malware Executable Code Placement
> 
> To prevent the size of the image from changing, the malware overwrites
> several legitimate IOS functions with its own executable code. The
> attackers will examine the current functionality of the router and
> determine functions that can be overwritten without causing issues on the
> router. Thus, the overwritten functions will vary upon deployment.
> ###
> 
> So, if the device in question isn't using OSPF, then the malware may
> overwrite the code for the OSPF process, allowing them to A) infect the
> device; B) cause no disruption to the operational state of the device
> (since, presumably, OSPF isn't going to be turned on); and C) keep the
> image firmware file size the same, preventing easy detection of the
> compromise.

That explains why on my home IOS router either IPsec works properly or 802.11,
but never both :)

~Marcin

• Previous message (by thread): Synful Knock questions...
• Next message (by thread): Synful Knock questions...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]