[NANOG] IOS rootkits

• Previous message (by thread): [NANOG] IOS rootkits
• Next message (by thread): [NANOG] IOS rootkits
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 18 May 2008, Joel Jaeggli wrote:
>> 
>> The result from your check can easily be modified, first thing I would have 
>> changed is the checker.
>
> That is a normal thing to do with rootkits (return bogus results). Which is 
> part of the reason I suggested that method I did. Short of pulling the flash 
> you're not going to get a fully unbiased view of what's it on it thusly the 
> audit process has some limitations.
>
> A TCPA style boot process would be a better approach. It's certainly not a 
> quick fix since it in general can't be retrofited to existing products.

EuSecWest released this interview about the rootkit with its creator, 
Sebastian Muniz of Core Security, it also mentions a third party product 
to detect some of these issues. Thank whatever diety we like for FX's 
work, as obviously Cisco isn't there yet.

http://eusecwest.com/sebastian-muniz-da-ios-rootkit.html



>> Say you did this from a usb stick--I'd just hide the rootkit in memory.
>> 
>>> In the end if you subvert a router, presumably you're doing it for a
>>> purpose and given what the device does, that purpose is probably
>>> detectable in a well instrumented network.
>> 
>> Subversion may not be the goal. A router is perfect for faking outgoing 
>> traffic. This traffic can contain stolen sniffed or relayed  data.
>
> If my device is now taking marching orders from a third party then by 
> definition it is subverted, regardless of agency or activity.
>
> sub verte - turn from under
>

• Previous message (by thread): [NANOG] IOS rootkits
• Next message (by thread): [NANOG] IOS rootkits
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]