Re: [NANOG] IOS rootkits

[Gadi Evron <ge () linuxbox org>]

On Sun, 18 May 2008, Joel Jaeggli wrote:
> > The result from your check can easily be modified, first thing I would have 
> > changed is the checker.
>
> That is a normal thing to do with rootkits (return bogus results). Which is 
> part of the reason I suggested that method I did. Short of pulling the flash 
> you're not going to get a fully unbiased view of what's it on it thusly the 
> audit process has some limitations.
>
> A TCPA style boot process would be a better approach. It's certainly not a 
> quick fix since it in general can't be retrofited to existing products.

EuSecWest released this interview about the rootkit with its creator, 
Sebastian Muniz of Core Security, it also mentions a third party product 
to detect some of these issues. Thank whatever diety we like for FX's 
work, as obviously Cisco isn't there yet.

http://eusecwest.com/sebastian-muniz-da-ios-rootkit.html



> > Say you did this from a usb stick--I'd just hide the rootkit in memory.
> >
> > > In the end if you subvert a router, presumably you're doing it for a
> > > purpose and given what the device does, that purpose is probably
> > > detectable in a well instrumented network.
> >
> > Subversion may not be the goal. A router is perfect for faking outgoing 
> > traffic. This traffic can contain stolen sniffed or relayed  data.
>
> If my device is now taking marching orders from a third party then by 
> definition it is subverted, regardless of agency or activity.
>
> sub verte - turn from under

_______________________________________________
NANOG mailing list
NANOG () nanog org
http://mailman.nanog.org/mailman/listinfo/nanog