Security Researcher to release Cisco rootkit at EUSecWest

Security Researcher to release Cisco rootkit at EUSecWest

Summary: According to good friend Robert McMillan of IDG News, Sebastian Muniz, a researcher with Core Security Technologies, has developed malicious rootkit software for Cisco's routers, which he will release on May 22 at the EuSecWest conference in London. This will mark the first time (at least publicly) that someone has released a rootkit written for the Cisco IOS.

SHARE:
TOPICS: Security, Cisco
9

According to good friend Robert McMillan of IDG News, Sebastian Muniz, a researcher with Core Security Technologies, has developed malicious rootkit software for Cisco's routers, which he will release on May 22 at the EuSecWest conference in London. 

This will mark the first time (at least publicly) that someone has released a rootkit written for the Cisco IOS.  As McMillan states: 

In the past, researchers have built malicious software, known as "IOS patching shellcode," that could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS.

Muniz's rootkit will be different. "It could work on several different versions of IOS," he said.

The software cannot be used to break into a Cisco router -- an attacker would need to have some kind of attack code, or an administrative password on the router to install the rootkit, but once installed it can be used to silently monitor and control the device.

The rootkit runs in the router's flash memory, which contains the first commands that it uses to boot up, said EuSecWest conference organizer Dragos Ruiu.

McMillan states that currently Muniz has no plans of releasing the source code to his rootkit, but instead, intends to discuss the concepts.  Clearly Muniz has thought this out and learned from the experiences of Michael Lynn who was sued by Cisco mere hours after his presentation at Black Hat in 2005.  McMillan interviews the lawyer used by Cisco in the Lynn case in his article, and I found her comments interesting:

Jennifer Granick, the Electronic Freedom Foundation lawyer who represented Lynn in 2005, said Cisco could bring these trade-secret claims against Muniz, but because the technical community reacted so negatively to the 2005 lawsuit, she believes that this may not happen. "Cisco thinks of itself as really researcher-friendly," she said. "I think they will be very careful before filing legal action."

Really, "Cisco thinks of itself as researcher-friendly"?  I can't say that I have had any dealings with them, so they very well may be, but I would bet that Lynn would beg to differ.  I'll have to catch up with Felix "FX" Lindner at Black Hat Vegas this year and get his take on the matter... he certainly does enough research on their devices, I'd assume he must either love them, or love to hate them.

In any case, this brings me back full circle to an article I did after Black Hat Federal where I was pointing out that hacking Cisco devices may be the wave of the future.  Based on some of the research being done by FX and his group, I'd be surprised if we don't see more of this.  Maybe FX will try to one up Muniz's research for Black Hat Vegas, we'll have to wait and see!

Kudos to Rob for a great late-night read and one upping me on the exclusives, you should definitely go read the full article!

-Nate

Topics: Security, Cisco

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Rootkit on a Router

    This could be interesting... Cisco likes to put voice on a router, too! I can just imagine the trouble someone could cause with this one.
    All your eggs in one basket is a bad idea.
    crash89
  • RE: Security Researcher to release Cisco rootkit at EUSecWest

    Well I have had dealings with Cisco, wrt research and
    security issues, and I have found the company to be very
    respectful of people they may not always agree with.

    And why do people think it wise or good to develop such
    things, because such things (eg., this router break-in
    code,) can only hurt others.

    I'd like to see Cisco make the choice to sue -- because
    they will certainly be hurting others, that's their intent
    remember, that's what publishing such a program does;
    That's all it can be used for.
    jgisme2@...
    • Narrow-minded view

      For one, the researcher is not publishing the exploit code. I question if you have dealt with Cisco for research that relates to exploiting a vulnerability, that may be why you have a different take on things.

      It's important that the researcher do this to point out the weakness. You can't cover your head and hope there is not bad guys out there, there is. Researchers should be cheered for helping companies identify issues and fix them.

      -Nate
      nmcfeters
      • Well, maybe not

        Nate, here is the problem.

        Yes, this coder says he will not publish his code. I was getting all set to jump up and down about that publishing, so fine.

        But. If he really has the good of the community in mind, he will _not_ publish that he is doing this at all. He will instead go to Cisco with his presentation.

        It is all this ego in the 'security expert' community which is giving real dangers an acceleration.

        Knowing that you _can_ do something is a great boost to actually doing it. That has been shown over and over in the progress of real science.

        Thus each time one of these thoughtless persons crows to the world or their black hat community about their neat hack, they raise the very great possibility that it will be duplicated, and that we will all suffer.

        Cisco routers - what a great place for incredible damage. Someone is not thinking, again.

        For those who actually publish exploits, like this guy with the Ubuntu SSL one this morning, I think there is only one way to view it - incredibly stupid, incredibly selfish.

        I hope we can raise a very high volume voice campaign, against those who publish.

        If they don't listen, well, that what a legal system is actually supposed to deal with, so I imagine the cases so far should be a warning.

        Regards,
        Narr Vi
        Narr vi
  • So all you need is an Admin password

    Well, about a few months ago a systems engineer came to my office to install our new router for upgraded Internet connection. When he put the router in place, I asked what the en password was, he stated cisco of course. He then told me that every router they put into place has that password and most customers do not have the knowledge or desire to change it... now of course this would not apply to a large corp. but small to mid-range shops may be in some trouble with this one.
    riveroad
    • You might be surprised

      to know that this happens in large corporations all the time.

      -Nate
      nmcfeters
  • RE: Security Researcher to release Cisco rootkit at EUSecWest

    I'm getting a little sick of these people calling themselves "security researchers". How about "moron"? A little more apt. Cisco is in the business of moving data. What gives this guy the right to attempt to assist the underground criminal community in gaining access to the inner sanctum of global networks simply because he thinks himself brilliant?
    pgray525@...
  • RE: Security Researcher to release Cisco rootkit at EUSecWest

    Yeah... And to that "guy" who released the openssl issue. I
    would have rather not known that all my certs for every
    Ubuntu box over the last 2 years are worthless. That way I
    could have been owned and never been the wiser. Now, I
    have to actually do some work and fix things.....

    Pure ego!
    someguy225
  • RE: Security Researcher to release Cisco rootkit at EUSecWest

    Seems that a media blackout happened...
    I was digging about the subject and found creator's blog at http://ret2libc.blogspot.com with some posts about it.
    delta222