IOS rootkits on the horizon

By stretch | Wednesday, May 14, 2008 at 9:23 p.m. UTC

Ever since the controversy concerning Michael Lynn's Black Hat 2005 talk illustrating the vulnerabilities of Cisco IOS routers, I've been expecting an increase in security research concerning attacks on network infrastructure. It seems that the next major story might be right around the corner.

A Computerworld article entitled Security researcher devises rootkit for Cisco's routers discusses Sebastian Muniz's work on creating an IOS-based rootkit.

The software can't be used to break into a Cisco router -- an attacker would need to have some kind of attack code or an administrative password on the router to install the rootkit. But once installed, it can be used to silently monitor and control the device.

Muniz said he has no plans to release the source code for his rootkit, but he wants to explain how he built it to counter the widespread perception that Cisco routers are somehow immune to this type of malware. "I've done this with the purpose of showing that IOS rootkits are real and that appropriate security measures must be taken," he said.

My mind is already busy trying to work out how one would install such a rootkit, and how it would interact with IOS. Muniz is scheduled to give an hour-long presentation at EUSecWest on the afternoon of May 22. Should be very interesting.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in News

Comments have closed for this article due to its age.