We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Rootkit threatens security of Cisco routers

Security researcher has no plans to release rootkit

The routers that carry the internet's traffic are under scrutinity following the development of malicious rootkit for Cisco Systems' routers.

The Rootkit, which was developed by Sebastian Muniz, a security researcher with Core Security Technologies, will be unveiled on May 22 at the EuSecWest conference in London.

Rootkits are stealthy programs that cover up their tracks on a computer, making them extremely hard to detect. To date, the vast majority of rootkits have been written for the Windows operating system, but this will mark the first time that someone has discussed a rootkit written for IOS, the Internetwork Operating System used by Cisco's routers.

"An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems," Muniz said in an interview.

Rootkits are typically used to install key-logging software as well as programs that allow attackers to remotely connect with the infected system. However, the most notorious rootkit of all, distributed by Sony BMG Music, stopped unauthorised CD copying.

A Cisco rootkit is an issue because, like Microsoft's Windows, Cisco's routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm IDC.

In the past, researchers have built malicious software, known as 'IOS patching shellcode', that could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS.

Muniz's rootkit will be different. "It could work on several different versions of IOS," he said.

The software cannot be used to break into a Cisco router - an attacker would need to have some kind of attack code, or an administrative password on the router to install the rootkit, but once installed it can be used to silently monitor and control the device.

The rootkit runs in the router's flash memory, which contains the first commands that it uses to boot up, said EuSecWest conference organiser Dragos Ruiu.

Muniz said he has no plans to release the source code for his rootkit, but he wants to explain how he built it to counter the widespread perception that Cisco routers are somehow immune to this type of malware. "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken," he said.

Security researcher Mike Lynn offered a similar rationalisation for his controversial 2005 Black Hack presentation showing how to hack into a Cisco router and run a small 'shellcode' program.

Lynn's presentation was "very shocking because, until then, nobody thought you could actually build exploits for Cisco," Ruiu said. "This rootkit is the next step".

Within hours of his 2005 Black Hat talk, Lynn was sued by Cisco, which claimed he had exposed trade secrets in violation of his Cisco end-user licence agreement.

Cisco's suit was quickly settled, but Muniz and his employer clearly have Lynn's experience in mind as they ready for next week's conference. They declined to provide technical details on the presentation ahead of time. "We're still in the process of putting the whole presentation together, and we also need to work with Cisco before we talk to anybody," a Core spokesman said. "The big concern is making sure that everything is cool with Cisco."

Cisco declined to comment for this story.

Jennifer Granick, the Electronic Freedom Foundation lawyer who represented Lynn in 2005, said that Cisco could bring these trade-secret claims against Muniz, but because the technical community reacted so negatively to the 2005 lawsuit, she believes that this may not happen. "Cisco thinks of itself as really researcher-friendly," she said. "I think they will be very careful before filing legal action."

Still, the rootkit comes at a sensitive time for Cisco. The New York Times reported that the US Federal Bureau of Investigation (FBI) considers the problem of fake Cisco gear a critical US infrastructure threat.

In late February the FBI culminated a two-year investigation by breaking up a counterfeit Cisco distribution network and seizing an estimated $3.5m (£1.75m) worth of components manufactured in China. According to an FBI presentation on Operation Cisco Raider, fake Cisco routers, switches and cards were sold to the US Navy, the US Marine Corps, the US Air Force, the US Federal Aviation Administration, and even the FBI itself.

The US Department of Defense has expressed concerns that the lack of security in the microelectronics supply chain could threaten the country's defense systems, and the idea that an attacker could sneak a rootkit onto a counterfeit Cisco system has security experts worried.

Cisco routers are typically compromised by hackers who are able to guess their administrative passwords, said Johannes Ullrich, chief research officer with the SANS Institute SANS Institute. But there are few tools around to check these systems for signs of hacking. "How would you find out?" he said. "That's the big problem."

Visit Security Advisor for the latest internet threat news, and internet security product reviews


IDG UK Sites

Black Friday 2014 tech deals UK Live: Best Black Friday deals from Apple, Amazon, Argos, eBay,...

IDG UK Sites

Black Friday feeding frenzy infects the UK

IDG UK Sites

VAT MOSS: Will I be affected by the EU VAT changes? Here are the facts for designers and artists

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & Black Friday tech offers