[NANOG] IOS rootkits

Christian christian at visr.org
Sun May 25 18:26:24 CDT 2008

any news of the presentation surfacing anywhere? interested to details of
what was discussed

On Sun, May 25, 2008 at 6:27 AM, Gadi Evron <ge at linuxbox.org> wrote:

> On Sun, 18 May 2008, Joel Jaeggli wrote:
>> Dragos Ruiu wrote:
>>  First of all about prevention, I'm not at all sure about this being
>>> covered by existing router security planning / BCP.
>>> I don't believe most operators reflash their routers periodically, nor
>>> check existing images (particularly because the tools for this
>>> integrity verification don't even exist). If I'm wrong about this I
>>> would love to be corrected with pointers to the tools.
>> I have 6 years worth of rancid logs for every time the reported number
>> of blocks in use on my flash changes, I imagine others do as well.
>> That's hardly the silver bullet however.
> Cisco considerably updated its rootkits page (which was 3 lines, yes, just
> 3 lines, last week, you might think it was a previously unknown threat).
> Last Updated 2008 May 22 1600 UTC (GMT)
> For Public Release 2008 May 16 0400 UTC (GMT)
> Some update!
> The new page gives a lot of information on best practices, MD5
> verifications, etc. Very good as a security best practices page but still
> not much of an "anti rootkit" page. Well worth taking a look:
> http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml
> Again, very good page even if it in no way addresses the threat.
> Last week my opinions were well-formed after a few years of thinking on the
> subject. I decided to re-examine my take as I may have just stagnated on the
> issue and the landscape changed. I reached the same conclusions.
> Still no decent response on why they never spoke to their clients on Trojan
> horses on IOS, rootkits on IOS.. or practically, what tools they provide to
> deal with them or what their plans are to help us protect ourselves and our
> infrastructure. One could guess they have non.
> As someone recently mentioned to me, after the Michael Lynn talk they
> started admitting to remote code execution vulnerabilities being more than
> just DoS in their announcements. Maybe that is a trend and we will get more
> information from them in the future, now that rootkits as a threat to IOS is
> a publis issue.
> Cisco's "threats don't exist until our clients already know of them"
> strategy is running out of steam, and will soon outlive its usefulness.
> Cisco is acting pretty much like Microsoft did 10 years ago, they shouldn't
> be surprised if security research treats them the same way as it treated
> Microsoft.
> I know what their treatment made _me_ do psychologically, it made me not
> want to reach out to them. It seems like the Michael Lynn way is the only
> way to go with their current attitude--full disclosure.
> As to the risk itself, it is my personal belief IOS rootkits are currently
> a threat as a targeted attack. Therefore, although of serious concern it is
> not yet something I fear on the Internet scale.
> Pure FUD, Cisco provided us with no real data:
> I do however dread the day XR gains some popularity, then it is as bad as
> Windows XP exploitability-wise. 2003, year of the worm. 2013, year of the
> Cisco worms?
>        Gadi.

More information about the NANOG mailing list