News Stay informed about the latest enterprise technology news and product updates.

Researchers develop lightweight Cisco IOS rootkit

Black Hat: Building on previous research against IOS, Core Security researchers have theoretically shown the plausibility of an IOS rootkit attack.

LAS VEGAS -- A security researcher today at Black Hat demonstrated a lightweight rootkit for the Cisco Internetworking Operating System (IOS) that in theory could own an embedded network device such as a router or switch.

We are doing this as small as possible to demonstrate that it is possible to [infect an IOS image] on the fly without someone noticing.
Ariel Futoransky,
director of researchCore Security Technologies

Building on work presented in May at the EUSecWest conference, Core Security Technologies Inc. director of research Ariel Futoransky explained how in a few short months, he and fellow Core Security researchers Sebastian Muniz and Gerardo Richarte pared the original Da IOS Rootkit (DIK) from two hours of processing time to 45 infections per second, therefore making the likelihood of a successful attack much more plausible.

"We focused on doing this really fast in the context of an embedded system; this was an optimization exercise," Futoransky said. "We are doing this as small as possible to demonstrate that it is possible to [infect an IOS image] on the fly without someone noticing."

"If this is going to take two hours to update, you're going to suspect something suspicious," Futoransky added. "As a lightweight [rootkit], this is a new scenario."

In this case, the lightweight analyzer is the rootkit payload. In Futoransky's example, once it infects an embedded device, it seeks out functionality an attacker would want to intercept, such as password checking, file manipulation, logging information, packet handling or access list manipulation. In its previous iteration, this processing time could take anywhere from 80 minutes to two hours, depending on the image size.

Black Hat 2008
Visit our extensive news coverage of Black Hat 2008.

Exclusive photos of Black Hat 2008.

Mozilla to release Firefox threat-modeling data: The Mozilla Foundation's security chief says it will soon publicly release threat-modeling data for the next version of the Firefox Web browser.

Valuable lesson emerges from DNS flaw handling Any effort to prevent others in the legitimate security community from working out the problem is a waste of time.

Hoffman to demonstrate new hacking techniques
Researcher to demonstrate hacking methods that enable malware authors to shield their programs from analysis. 

"The lightweight static analyzer is fast enough to run unnoticed within bootup, and compact enough be used as exploit payload," Futoransky said.

Futoransky said an attacker would need either privileged or physical access to a system, or a vulnerability in IOS to install the rootkit. His demonstration assumes there is a vulnerability present in IOS that enables access if exploited.

Cleanup is no breeze. Upgrading to a new version of IOS, for example, won't rectify the issue if a network manager isn't aware of the presence of the rootkit, Futoransky said.

"If you're not making sure that the compromised code is not in charge at the time you are doing an upgrade, [the rootkit] could intercept the functions to write those [new] files to remain infected," he said.

Core Security has updated Cisco Systems Inc. on its findings. Futoransky would not provide additional details on that dialogue. Cisco did confirm the findings of Muniz's May presentation and quickly issued a paper and best practices.

The improved efficiency of the rootkit is sure to gain some attention. Futoransky hopes administrators managing Cisco devices keep a diligent eye on their infrastructures.

"I want them to suspect if someone, because a particular vulnerability is discovered in the future, got into their system, then they have to take extra measures to upgrade to make sure what is in there doesn't survive," he said. "We did this research on IOS because it makes sense, but this work applies to a range of devices."

Futoransky said he not published these findings yet.

Dig Deeper on Network device security: Appliances, firewalls and switches

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.