Synful Knock questions...
Jake Mertel
jake.mertel at ubiquityhosting.com
Tue Sep 15 18:54:30 UTC 2015
Indeed -- While there are methods that can be used to "pack" a file so that
it collides with a desirable checksum, that would be nearly impossible to
do in this scenario. I suspect that you're right in all regards -- that
taking the image file and checking it on another host would show obvious
indications of change, that local verification would be impossible since
the malware could presumably change the verification output, and that the
primary motivation for keeping the file size the same was to prevent simple
differential checks like those done by rancid from picking up the change.
--
Regards,
Jake Mertel
Ubiquity Hosting
*Web: *https://www.ubiquityhosting.com
*Phone (direct): *1-480-478-1510
*Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054
On Tue, Sep 15, 2015 at 11:50 AM, Michael Douglas <Michael.Douglas at ieee.org>
wrote:
> Wouldn't the calculated MD5/SHA sum for the IOS file change once it's
> modified (irrespective of staying the same size)? I'd be interested to see
> if one of these backdoors would pass the IOS verify command or not. Even
> if the backdoor changed the verify output; copying the IOS file off the
> router and MD5/SHA summing it on another host should show a difference. I
> guess maintaining the file size is to prevent something like RANCID firing
> off a diff on the flash dir output.
>
More information about the NANOG
mailing list