Cisco confirms possibility of IOS rootkits

Summary:On the heels of an EUSecWest conference presentation on malicious rootkits for Cisco IOS (see background), Cisco's security response team has published a must-read document confirming that stealthy malware can be loaded on the software used on the vast majority of its routers and network switches.Cisco warns:It is possible that an attacker could insert malicious code into a Cisco IOS software image and load it onto a Cisco device that supports that image.

Cisco confirms possibility of IOS rootkits
On the heels of an EUSecWest conference presentation on malicious rootkits for Cisco IOS (see background), Cisco's security response team has published a must-read document confirming that stealthy malware can be loaded on the software used on the vast majority of its routers and network switches.

Cisco warns:

It is possible that an attacker could insert malicious code into a Cisco IOS software image and load it onto a Cisco device that supports that image. This attack scenario could occur on any device that uses a form of software, given a proper set of circumstances.

The company's confirmation follows a technical discussion by Core Security researcher Sebastian Muniz of "Da IOS Rootkit," which is basically a binary modification to the IOS image downloaded from the device.

In this Q&A, Muniz explains his creation:

The main feature of Da IOS Rootkit is the universal password. Every call to the different password validation routines grant access to the user if the unique rootkit password is specified. This is what will be in the public release. Other features such as hiding files, processes and connections will not be included. The core of the rootkit code is written in plain C instead of assembly. It doesn't persist through upgrades yet but future versions probably will.

I haven't tested on Catalyst switches because they run CatOS which a different than IOS. The rootkit code is rather generic so it should work with some modifications. As a matter of fact, some parts of the code are so generic that they will work on any other class of devices (not even CISCO devices).

Cisco, in response, published a list of security best practices  to improve the security posture of a routing and switching network.  "These practices are particularly relevant to ensure that Cisco IOS devices only use authorized and unaltered Cisco IOS software images," the company said.

Topics: Cisco, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.