Re: [NANOG] IOS rootkits

[n3td3v <xploitable () gmail com>]

On Sun, May 18, 2008 at 7:45 PM, Kurt Dillard <kurtdillard () msn com> wrote:
> Apparently Gadi  doesn't understand either.  Rootkits don't need to exploit
> vulnerabilities in an OS, they leverage the design of the OS or the
> underlying hardware platform. You don't 'patch' the design of something. You
> want to stop rootkits in IOS? Don't allow it to run arbitrary code, run the
> OS in firmware rather than from writable storage. Go study up on rootkits
> for a few weeks before you complain about someone demonstrating one. Unlike
> you guys I happen to know what I am talking about as I've been studying
> malware including rootkits for over 10 years. By studying I mean taking them
> apart, figuring out how they work, and finding tools to deal with them; not
> reading some half-assed article on CNET or Ziff-Davis full of technical
> errors.
>
> Over the past few years Cisco, Apple, and Oracle have behaved an awful lot
> like Microsoft did 10 years ago, trying to pretend that their platforms are
> immune to malware and refusing to approach vulnerabilities head-on with an
> attitude of rational pragmatism. Dave Litchfield and his team have dragged
> Oracle kicking and screaming to the world of reality, the same has yet to
> happen with the other two firms.

As soon as this presentation is done, someone like HD Moore will work
out whats going on and code something and do what he normally does and
release some kind of point and click disaster for the script kids to
use.

Sebastian Muniz, he isn't planning to release any source code, but
with brain boxes like HD Moore around he won't need to.

He will pretty much hint to the HD Moore's of the world how its all
happening, and then its going to be script kiddie hell as soon as the
HD Moore's of the world release a point and click disaster.

Folks like HD Moore are desperate for new things to leverage to get a
name for themselves that will shock and awe the security world so that
they will go down in the history books as some great hero of info sec.

Trust me, I don't want the HD Moore's of the world working out how to
do Cisco rootkits, because he will only code something and throw it
out to the masses.

This kind of Cisco rootkit should be placed under the secrecy act so
its illegal to release this kind of thing that should only be used by
the intelligence services.

I think me and Gadi are right in saying, if this presentation goes
ahead its going to be an absolute disaster as soon as HD Moore catches
on how its done.

I'm not technically gifted so I can't join in the technical discussion
but I see a threat when I see one.

All the best,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/