nanog mailing list archives
Re: Synful Knock questions...
From: Marcin Cieslak <saper () saper info>
Date: Tue, 15 Sep 2015 18:50:37 +0000
On Tue, 15 Sep 2015, Jake Mertel wrote:
Reading through the article @ https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html, I'm lead to believe that the process(s) they overwrite are selected to cause no impact to the device. Relevant excerpt: ### Malware Executable Code Placement To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attackers will examine the current functionality of the router and determine functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment. ### So, if the device in question isn't using OSPF, then the malware may overwrite the code for the OSPF process, allowing them to A) infect the device; B) cause no disruption to the operational state of the device (since, presumably, OSPF isn't going to be turned on); and C) keep the image firmware file size the same, preventing easy detection of the compromise.
That explains why on my home IOS router either IPsec works properly or 802.11, but never both :) ~Marcin
Current thread:
- Synful Knock questions... eric-list (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Ricky Beam (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Valdis . Kletnieks (Sep 15)
- Re: Synful Knock questions... Jake Mertel (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Jared Mauch (Sep 15)
- Re: Synful Knock questions... Michael Douglas (Sep 15)
- Re: Synful Knock questions... Marcin Cieslak (Sep 15)
- Re: Synful Knock questions... Stephen Satchell (Sep 15)
- Re: Synful Knock questions... Valdis . Kletnieks (Sep 15)
- Re: Synful Knock questions... Alain Hebert (Sep 15)
- Re: Synful Knock questions... Blake Hudson (Sep 15)
- Re: Synful Knock questions... Paul Ferguson (Sep 15)
- Re: Synful Knock questions... Roland Dobbins (Sep 15)
- Re: Synful Knock questions... Royce Williams (Sep 16)
- Re: Synful Knock questions... Stephen Fulton (Sep 16)
- Re: Synful Knock questions... Stephen Fulton (Sep 16)
- Re: Synful Knock questions... Jake Mertel (Sep 25)