Re: Synful Knock questions...

[Marcin Cieslak <saper () saper info>]

On Tue, 15 Sep 2015, Jake Mertel wrote:

> Reading through the article @
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html,
> I'm lead to believe that the process(s) they overwrite are selected to
> cause no impact to the device. Relevant excerpt:
>
> ###
> Malware Executable Code Placement
>
> To prevent the size of the image from changing, the malware overwrites
> several legitimate IOS functions with its own executable code. The
> attackers will examine the current functionality of the router and
> determine functions that can be overwritten without causing issues on the
> router. Thus, the overwritten functions will vary upon deployment.
> ###
>
> So, if the device in question isn't using OSPF, then the malware may
> overwrite the code for the OSPF process, allowing them to A) infect the
> device; B) cause no disruption to the operational state of the device
> (since, presumably, OSPF isn't going to be turned on); and C) keep the
> image firmware file size the same, preventing easy detection of the
> compromise.

That explains why on my home IOS router either IPsec works properly or 802.11,
but never both :)

~Marcin