Synful Knock questions...
Ricky Beam
jfbeam at gmail.com
Tue Sep 15 19:27:47 UTC 2015
On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglas
<Michael.Douglas at ieee.org> wrote:
> Does anyone have a sample of a backdoored IOS image?
The IOS image isn't what gets modified. ROMMON is altered to patch IOS
after decompression before passing control to it. I don't know WTF
they're going on and on about "file size". There are many reasons to
overwrite. The most likely reason the hack does this is because it's
easier than a dynamic allocation of executable memory. Plus, modifications
done by ROMMON cannot allocate IOS system memory; their hooks MUST rewrite
existing code SOMEWHERE.
Again, this is a ROMMON HACK, that doctors the running IOS image IN MEMORY
before starting IOS.
More information about the NANOG
mailing list