[NANOG] IOS rootkits
Gadi Evron
ge at linuxbox.org
Mon May 19 03:30:01 UTC 2008
On Sun, 18 May 2008, Joel Jaeggli wrote:
>>
>> The result from your check can easily be modified, first thing I would have
>> changed is the checker.
>
> That is a normal thing to do with rootkits (return bogus results). Which is
> part of the reason I suggested that method I did. Short of pulling the flash
> you're not going to get a fully unbiased view of what's it on it thusly the
> audit process has some limitations.
>
> A TCPA style boot process would be a better approach. It's certainly not a
> quick fix since it in general can't be retrofited to existing products.
EuSecWest released this interview about the rootkit with its creator,
Sebastian Muniz of Core Security, it also mentions a third party product
to detect some of these issues. Thank whatever diety we like for FX's
work, as obviously Cisco isn't there yet.
http://eusecwest.com/sebastian-muniz-da-ios-rootkit.html
>> Say you did this from a usb stick--I'd just hide the rootkit in memory.
>>
>>> In the end if you subvert a router, presumably you're doing it for a
>>> purpose and given what the device does, that purpose is probably
>>> detectable in a well instrumented network.
>>
>> Subversion may not be the goal. A router is perfect for faking outgoing
>> traffic. This traffic can contain stolen sniffed or relayed data.
>
> If my device is now taking marching orders from a third party then by
> definition it is subverted, regardless of agency or activity.
>
> sub verte - turn from under
>
More information about the NANOG
mailing list