[NANOG] IOS rootkits

Gadi Evron ge at linuxbox.org
Tue May 20 07:31:00 UTC 2008


On Mon, 19 May 2008, Deepak Jain wrote:
>
> Wouldn't this level of verification/authentication of running code be a 
> pretty trivial function via RANCID or similar tool?

Absolutely, and it actually makes sense. The problem though is that it is 
one again an escalation war and counter-inventions keep happening. RANCID 
will connect remotely and use the local tools to get results, these local 
tools or their esults can be altered.

> I understand *why* we are worried about rootkits on individual servers. On 
> essentially "closed" platforms this isn't going to be rocket science.
> It may seem odd by today's BCPs, but booting up from "golden" images via 
> write-protected  hardware or TFTP or similar is pretty straightforward -- 
> especially for those of us who run large server farms.

That is a neat idea, you mean something like a magic card?
Well, the rootkit could still hide in memory, or heck, on the video card 
if it likes. While XR is not implemented your best bet is reflashing with 
an updated version, screws up the memory allocations which is apparently a 
difficult problem to overcome.

> A POP or node could certainly keep a few servers around that are a permanent 
> repository of these items for all the devices that get images.
>
> If you can't trust the boot rom, well, that's an entirely separate matter.
>
> I think the issue with rootkits whether server or embedded device is more 
> about infection vector than the maliciousness that could be caused AFTER a 
> compromise has occurred.

Here is very much disagree with you. Imagine what you can do with a Trojan 
horse on a computer, say a server. You could, in effective terms, use it 
as your own. You'd own it. The same is true for a router.

You could sniff the network, steal traffic, use it as a bridge to connect 
to potnetially any part of your network, hide traffic, etc. The potential 
for attackrs is almosy "cool".

 	Gadi.


>
> Deepak Jain
>
>
> Dragos Ruiu wrote:
>> The question this presentation begs for me... is how many of the folks  on 
>> this list do integrity checking on their routers?
>> 
>> You can no longer say this isn't necessary :-).
>> 
>> I know FX and a few others are working on toolsets for this...
>> 
>> I'll probably have other comments after I see the presentation.
>> This development has all sort of implications for binary signing 
>> requirements, etc...
>> 
>> cheers,
>> --dr
>> 
>> --
>> World Security Pros. Cutting Edge Training, Tools, and Techniques
>> London, U.K.   May 21/22 - 2008    http://cansecwest.com
>> pgpkey http://dragos.com/ kyxpgp
>> 
>> 
>> 
>> _______________________________________________
>> NANOG mailing list
>> NANOG at nanog.org
>> http://mailman.nanog.org/mailman/listinfo/nanog
>> 
>> 
>




More information about the NANOG mailing list