Researchers develop lightweight Cisco IOS rootkit

By Michael S. Mimoso, Editor, Information Security magazine 07 Aug 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

LAS VEGAS -- A security researcher today at Black Hat demonstrated a lightweight rootkit for the Cisco Internetworking Operating System (IOS) that in theory could own an embedded network device such as a router or switch.

We are doing this as small as possible to demonstrate that it is possible to [infect an IOS image] on the fly without someone noticing. Ariel Futoransky, director of research, Core Security Technologies

Building on work presented in May at the EUSecWest conference, Core Security Technologies Inc. director of research Ariel Futoransky explained how in a few short months, he and fellow Core Security researchers Sebastian Muniz and Gerardo Richarte pared the original Da IOS Rootkit (DIK) from two hours of processing time to 45 infections per second, therefore making the likelihood of a successful attack much more plausible.

"We focused on doing this really fast in the context of an embedded system; this was an optimization exercise," Futoransky said. "We are doing this as small as possible to demonstrate that it is possible to [infect an IOS image] on the fly without someone noticing."

"If this is going to take two hours to update, you're going to suspect something suspicious," Futoransky added. "As a lightweight [rootkit], this is a new scenario."

In this case, the lightweight analyzer is the rootkit payload. In Futoransky's example, once it infects an embedded device, it seeks out functionality an attacker would want to intercept, such as password checking, file manipulation, logging information, packet handling or access list manipulation. In its previous iteration, this processing time could take anywhere from 80 minutes to two hours, depending on the image size.

Black Hat 2008 Visit our extensive news coverage of Black Hat 2008. Exclusive photos of Black Hat 2008. Mozilla to release Firefox threat-modeling data: The Mozilla Foundation's security chief says it will soon publicly release threat-modeling data for the next version of the Firefox Web browser. Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time. Hoffman to demonstrate new hacking techniques Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis.

"The lightweight static analyzer is fast enough to run unnoticed within bootup, and compact enough be used as exploit payload," Futoransky said.

Futoransky said an attacker would need either privileged or physical access to a system, or a vulnerability in IOS to install the rootkit. His demonstration assumes there is a vulnerability present in IOS that enables access if exploited.

Cleanup is no breeze. Upgrading to a new version of IOS, for example, won't rectify the issue if a network manager isn't aware of the presence of the rootkit, Futoransky said.

"If you're not making sure that the compromised code is not in charge at the time you are doing an upgrade, [the rootkit] could intercept the functions to write those [new] files to remain infected," he said.

Core Security has updated Cisco Systems Inc. on its findings. Futoransky would not provide additional details on that dialogue. Cisco did confirm the findings of Muniz's May presentation and quickly issued a paper and best practices.

The improved efficiency of the rootkit is sure to gain some attention. Futoransky hopes administrators managing Cisco devices keep a diligent eye on their infrastructures.

"I want them to suspect if someone, because a particular vulnerability is discovered in the future, got into their system, then they have to take extra measures to upgrade to make sure what is in there doesn't survive," he said. "We did this research on IOS because it makes sense, but this work applies to a range of devices."

Futoransky said he not published these findings yet.

Tags: Network Device Management,  Network Firewalls, Routers and Switches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Device Management Researchers find thousands of flawed embedded devices Is there a way to block iPhone widgets that bypass Web filters? Will an application usage policy best control network bandwidth? What is the difference between static and dynamic network validation? How to manage network bandwidth with distributed ISP bandwidth DNSSEC deployments gain momentum since Kaminsky DNS bug Firewall rule management best practices What are best practices for fiber optic cable security? The requirements for being a PCI DSS-compliant service provider Enterprise UTM security: The best threat management solution? Network Firewalls, Routers and Switches Best Network Firewall Products What is the difference between static and dynamic network validation? Screencast: Smoothwall offers firewall defense in lean times New Cisco IOS bugs pose tempting targets, says Black Hat researcher How to implement virtual firewalls in a complex network infrastructure How to manage network bandwidth with distributed ISP bandwidth Firewall rule management best practices Should enterprises be running multiple firewalls? What are the disadvantages of proxy-based firewalls? IT pros find corporate firewall rules tough to navigate

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary OCSP  (SearchSecurity.com) trusted computing base  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary