Re: [NANOG] IOS rootkits

["Elazar Broad" <elazar () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Keep in mind that rootkit functionality itself isn't all bad, take
anti-virus software for example. Its like a shark trawling the
bottom of the sea floor, looking up at its next meal on high; how
deeply can you hook the OS core...

Elazar

On Sun, 18 May 2008 14:45:48 -0400 Kurt Dillard
<kurtdillard () msn com> wrote:
> Apparently Gadi  doesn't understand either.  Rootkits don't need
> to exploit
> vulnerabilities in an OS, they leverage the design of the OS or
> the
> underlying hardware platform. You don't 'patch' the design of
> something. You
> want to stop rootkits in IOS? Don't allow it to run arbitrary
> code, run the
> OS in firmware rather than from writable storage. Go study up on
> rootkits
> for a few weeks before you complain about someone demonstrating
> one. Unlike
> you guys I happen to know what I am talking about as I've been
> studying
> malware including rootkits for over 10 years. By studying I mean
> taking them
> apart, figuring out how they work, and finding tools to deal with
> them; not
> reading some half-assed article on CNET or Ziff-Davis full of
> technical
> errors.
>
> Over the past few years Cisco, Apple, and Oracle have behaved an
> awful lot
> like Microsoft did 10 years ago, trying to pretend that their
> platforms are
> immune to malware and refusing to approach vulnerabilities head-on
> with an
> attitude of rational pragmatism. Dave Litchfield and his team have
> dragged
> Oracle kicking and screaming to the world of reality, the same has
> yet to
> happen with the other two firms.
>
> -----Original Message-----
> From: full-disclosure-bounces () lists grok org uk
> [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of
> n3td3v
> Sent: Sunday, May 18, 2008 12:50 PM
> To: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] [NANOG] IOS rootkits
>
> On Sun, May 18, 2008 at 4:37 PM, Kurt Dillard
> <kurtdillard () msn com> wrote:
> > NETDOVE,
> > Obviously you have no idea how a rootkit works much less how to
> defend
> > against them, your rants make no sense.
> >
> > Kurt
>
> Dude,
>
> Gadi Evron is punching into this guy as well, check this out:
>
> ---------- Forwarded message ----------
> From: Gadi Evron <ge () linuxbox org>
> Date: Sun, May 18, 2008 at 3:48 PM
> Subject: Re: [NANOG] IOS rootkits
> To: Dragos Ruiu <dr () kyx net>
> Cc: topo () coresecurity com, fx () recurity-labs com, nanog () merit edu,
> ivan.arce () coresecurity com
>
>
> On Sun, 18 May 2008, Dragos Ruiu wrote:
> > On 17-May-08, at 3:12 AM, Suresh Ramasubramanian wrote:
> >
> > > On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
> > > <mmc () internode com au> wrote:
> > > > If the way of running this isn't out in the wild and it's
> actually
> > > > dangerous then a pox on anyone who releases it, especially to
> gain
> > > > publicity at the expensive of network operators sleep and well
> being.
> > > > May you never find a reliable route ever again.
> > >
> > > This needs fixing. It doesnt need publicity at security
> conferences
> > > till after cisco gets presented this stuff first and asked to
> release
> > > an emergency patch.
> >
> > Bullshit.
> >
> > There is nothing to patch.
> >
> > It needs to be presented at conferences, exactly because people
> will
> > play ostrich and stick their heads in the sand and pretend it
> can't
> > happen to them, and do nothing about it until someone shows
> them, "yes
> > it can happen" and here is how....
> >
> > Which is exactly why we've accepted this talk. We've all known
> this is
> > a possibility for years, but I haven't seen significant motion
> forward
> > on this until we announced this talk. So in a fashion, this has
> > already helped make people more realistic about their
> infrastructure
> > devices. And the discussions, and idea interchange that will
> happen
> > between the smart folks at the conference will undoubtedly usher
> forth
> > other related issues and creative solutions.  Problems don't get
> fixed
> > until you talk about them.
>
> Dragus, while I hold full disclosure very close and it is dear to
> my
> heart, I admit the fact that it can be harmful. Let me link that
> to
> network operations.
>
> People forget history. A few years back I had a chat with Aleph1
> on the
> first days of bugtraq. He reminded me how things are not always
> black and
> white.
>
> Full disclosure, while preferable in my ideology, is not the best
> solution
> for all. One of the reasons bugtraq was created is because vendors
> did not
> care about security, not to mention have a capability to handle
> security
> issues, or avoid them to begin with.
>
> Full disclosure made a lot of progress for us, and while still a
> useful
> tool, with some vendors it has become far more useful to report to
> them
> and let them provide with a solution first.
>
> In the case of routers which are used for infrastructure as well
> as
> critical infrastructure, it is my strong belief that full
> disclosure is,
> at least at face value, a bad idea.
>
> I'd like to think Cisco, which has shown capability in the past,
> is as
> responsible as it should be on these issues. Experience tells me
> they have
> a ways to go yet even if they do have good processes in place with
> good
> people to employ them.
>
> I'd also like to think tier-1 and tier-2 providers get patches
> first
> before such releases. This used to somewhat be the case, last I
> checked it
> no longer is -- for legitimate concerns by Cisco. has this
> changed?
>
> So, if we don't patch the infrastructure up first, and clients
> don't know
> of problems until they are public "for their own security" (an
> argument
> that holds water only so much) perhaps it is the time for full
> disclosure
> to be considered a viable alternative.
>
> All that aside, this is a rootkit, not a vulnerability. There is
> no
> inherent vulnerability to patch (unless it is very local). There
> is the
> vulnerability of operators who don't so far even consider trojan
> horses
> as a threat, and the fact tools don't exist for them to do
> something once
> they do.
>
>       Gadi.
>
>
>
>
> > cheers,
> > --dr
> >
> >
> >
> > --
> > World Security Pros. Cutting Edge Training, Tools, and
> Techniques
> > London, U.K.   May 21/22 - 2008    http://cansecwest.com
> > pgpkey http://dragos.com/ kyxpgp
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQECAAYFAkgwi9AACgkQi04xwClgpZja4wP+LItuGYEbfP4lnTsVY1Yg6ct3YWxB
HxuuzQVAr3/oUM277IjSHNetjfZmQy76gvo+98G3vs1nFQFdoFYvzCL0zIvoDqdQWTmE
biTeEFZGDzbj2bXT9GmEdRKE6FJCHW9fhBNo8IC2/HA/Yo/eMXNOF9O4YQIoy7ZiOZvN
VrfDCUA=
=Rfys
-----END PGP SIGNATURE-----

--
Click here and enhance your romance with the perfect honeymoon vacation.  
http://tagline.hushmail.com/fc/Ioyw6h4dydz7TgMpyAUaBg2f10zdUDSgsuoAmpzKWDv7nSpmQA0FFu/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/