LAS VEGAS -- A security researcher today at Black Hat demonstrated a lightweight rootkit for the Cisco Internetworking Operating System (IOS) that in theory could own an embedded network device such as a router or switch.
Building on work presented in May at the EUSecWest conference, Core Security Technologies Inc. director of research Ariel Futoransky explained how in a few short months, he and fellow Core Security researchers Sebastian Muniz and Gerardo Richarte pared the original Da IOS Rootkit (DIK) from two hours of processing time to 45 infections per second, therefore making the likelihood of a successful attack much more plausible.
"We focused on doing this really fast in the context of an embedded system; this was an optimization exercise," Futoransky said. "We are doing this as small as possible to demonstrate that it is possible to [infect an IOS image] on the fly without someone noticing."
"If this is going to take two hours to update, you're going to suspect something suspicious," Futoransky added. "As a lightweight [rootkit], this is a new scenario."
In this case, the lightweight analyzer is the rootkit payload. In Futoransky's example, once it infects an embedded device, it seeks out functionality an attacker would want to intercept, such as password checking, file manipulation, logging information, packet handling or access list manipulation. In its previous iteration, this processing time could take anywhere from 80 minutes to two hours, depending on the image size.
"The lightweight static analyzer is fast enough to run unnoticed within bootup, and compact enough be used as exploit payload," Futoransky said.
Futoransky said an attacker would need either privileged or physical access to a system, or a vulnerability in IOS to install the rootkit. His demonstration assumes there is a vulnerability present in IOS that enables access if exploited.
Cleanup is no breeze. Upgrading to a new version of IOS, for example, won't rectify the issue if a network manager isn't aware of the presence of the rootkit, Futoransky said.
"If you're not making sure that the compromised code is not in charge at the time you are doing an upgrade, [the rootkit] could intercept the functions to write those [new] files to remain infected," he said.
Core Security has updated Cisco Systems Inc. on its findings. Futoransky would not provide additional details on that dialogue. Cisco did confirm the findings of Muniz's May presentation and quickly issued a paper and best practices.
The improved efficiency of the rootkit is sure to gain some attention. Futoransky hopes administrators managing Cisco devices keep a diligent eye on their infrastructures.
"I want them to suspect if someone, because a particular vulnerability is discovered in the future, got into their system, then they have to take extra measures to upgrade to make sure what is in there doesn't survive," he said. "We did this research on IOS because it makes sense, but this work applies to a range of devices."
Futoransky said he not published these findings yet.