http://www.infoworld.com/article/08/05/14/Hacker-writes-rootkit-for-Ciscos-routers_1.html
By Robert McMillan
IDG News Service
May 14, 2008
A security researcher has developed malicious rootkit software for Cisco
Systems' routers, a development that has placed increasing scrutiny on
the routers that carry the majority of the Internet's traffic.
Sebastian Muniz, a researcher with Core Security Technologies, developed
the software, which he will unveil on May 22 at the EuSecWest conference
in London.
Rootkits are stealthy programs that cover up their tracks on a computer,
making them extremely hard to detect. To date, the vast majority of
rootkits have been written for the Windows operating system, but this
will mark the first time that someone has discussed a rootkit written
for IOS, the Internetwork Operating System used by Cisco's routers. "An
IOS rootkit is able to perform the tasks that any other rootkit would do
on desktop computer operating systems," Muniz said in an interview.
Rootkits are typically used to install key-logging software as well as
programs that allow attackers to remotely connect with the infected
system. However, the most notorious rootkit of all, distributed by Sony
BMG Music, stopped unauthorized CD copying.
A Cisco rootkit is particularly worrisome because, like Microsoft's
Windows, Cisco's routers are very widely used. Cisco owned nearly
two-thirds of the router market in the fourth quarter of 2007, according
to research firm IDC.
In the past, researchers have built malicious software, known as "IOS
patching shellcode," that could compromise a Cisco router, but those
programs are custom-written to work with one specific version of IOS.
Muniz's rootkit will be different. "It could work on several different
versions of IOS," he said.
The software cannot be used to break into a Cisco router -- an attacker
would need to have some kind of attack code, or an administrative
password on the router to install the rootkit, but once installed it can
be used to silently monitor and control the device.
The rootkit runs in the router's flash memory, which contains the first
commands that it uses to boot up, said EuSecWest conference organizer
Dragos Ruiu.
Muniz said he has no plans to release the source code for his rootkit,
but he wants to explain how he built it to counter the widespread
perception that Cisco routers are somehow immune to this type of
malware. "I've done this with the purpose of showing that IOS rootkits
are real, and that appropriate security measures must be taken," he
said.
Security researcher Mike Lynn offered a similar rationalization for his
controversial 2005 Black Hack presentation showing how to hack into a
Cisco router and run a small "shellcode" program.
Lynn's presentation was "very shocking because, until then, nobody
thought you could actually build exploits for Cisco," Ruiu said. "This
rootkit is the next step."
Within hours of his 2005 Black Hat talk, Lynn was sued by Cisco, which
claimed he had exposed trade secrets in violation of his Cisco end-user
license agreement.
Cisco's suit was quickly settled, but Muniz and his employer clearly
have Lynn's experience in mind as they ready for next week's conference.
They declined to provide technical details on the presentation ahead of
time. "We're still in the process of putting the whole presentation
together, and we also need to work with Cisco before we talk to
anybody," a Core spokesman said. "The big concern is making sure that
everything is cool with Cisco."
Cisco declined to comment for this story.
Jennifer Granick, the Electronic Freedom Foundation lawyer who
represented Lynn in 2005, said that Cisco could bring these trade-secret
claims against Muniz, but because the technical community reacted so
negatively to the 2005 lawsuit, she believes that this may not happen.
"Cisco thinks of itself as really researcher-friendly," she said. "I
think they will be very careful before filing legal action."
Still, the rootkit comes at a sensitive time for Cisco. Last week, the
New York Times reported that the FBI considers the problem of fake Cisco
gear a critical U.S. infrastructure threat.
In late February the FBI culminated a two-year investigation by breaking
up a counterfeit Cisco distribution network and seizing an estimated
$3.5 million worth of components manufactured in China. According to an
FBI presentation on Operation Cisco Raider, fake Cisco routers, switches
and cards were sold to the U.S. Navy, the U.S. Marine Corps., the U.S.
Air Force, the U.S. Federal Aviation Administration, and even the FBI
itself.
The U.S. Department of Defense has expressed concerns that the lack of
security in the microelectronics supply chain could threaten the
country's defense systems, and the idea that an attacker could sneak a
rootkit onto a counterfeit Cisco system has security experts worried.
Cisco routers are typically compromised by hackers who are able to guess
their administrative passwords, said Johannes Ullrich, chief research
officer with the SANS Institute. But there are few tools around to check
these systems for signs of hacking. "How would you find out?" he said.
"That's the big problem."
_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Comments