Security Researcher to release Cisco rootkit at EUSecWest
According to good friend Robert McMillan of IDG News, Sebastian Muniz, a researcher with Core Security Technologies, has developed malicious rootkit software for Cisco's routers, which he will release on May 22 at the EuSecWest conference in London.
This will mark the first time (at least publicly) that someone has released a rootkit written for the Cisco IOS. As McMillan states:
In the past, researchers have built malicious software, known as "IOS patching shellcode," that could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS.
Muniz's rootkit will be different. "It could work on several different versions of IOS," he said.
The software cannot be used to break into a Cisco router -- an attacker would need to have some kind of attack code, or an administrative password on the router to install the rootkit, but once installed it can be used to silently monitor and control the device.
The rootkit runs in the router's flash memory, which contains the first commands that it uses to boot up, said EuSecWest conference organizer Dragos Ruiu.
McMillan states that currently Muniz has no plans of releasing the source code to his rootkit, but instead, intends to discuss the concepts. Clearly Muniz has thought this out and learned from the experiences of Michael Lynn who was sued by Cisco mere hours after his presentation at Black Hat in 2005. McMillan interviews the lawyer used by Cisco in the Lynn case in his article, and I found her comments interesting:
Jennifer Granick, the Electronic Freedom Foundation lawyer who represented Lynn in 2005, said Cisco could bring these trade-secret claims against Muniz, but because the technical community reacted so negatively to the 2005 lawsuit, she believes that this may not happen. "Cisco thinks of itself as really researcher-friendly," she said. "I think they will be very careful before filing legal action."
Really, "Cisco thinks of itself as researcher-friendly"? I can't say that I have had any dealings with them, so they very well may be, but I would bet that Lynn would beg to differ. I'll have to catch up with Felix "FX" Lindner at Black Hat Vegas this year and get his take on the matter... he certainly does enough research on their devices, I'd assume he must either love them, or love to hate them.
In any case, this brings me back full circle to an article I did after Black Hat Federal where I was pointing out that hacking Cisco devices may be the wave of the future. Based on some of the research being done by FX and his group, I'd be surprised if we don't see more of this. Maybe FX will try to one up Muniz's research for Black Hat Vegas, we'll have to wait and see!
Kudos to Rob for a great late-night read and one upping me on the exclusives, you should definitely go read the full article!
-Nate