[104566] in North American Network Operators' Group
Re: [NANOG] IOS rootkits
daemon@ATHENA.MIT.EDU (Gadi Evron)
Sun May 18 23:30:39 2008
Date: Sun, 18 May 2008 22:30:01 -0500 (CDT)
From: Gadi Evron <ge@linuxbox.org>
To: Joel Jaeggli <joelja@bogus.com>
In-Reply-To: <4830CFC3.9040401@bogus.com>
Cc: fx@recurity-labs.com, topo@coresecurity.com, ivan.arce@coresecurity.com,
nanog@merit.edu
Errors-To: nanog-bounces@nanog.org
On Sun, 18 May 2008, Joel Jaeggli wrote:
>>
>> The result from your check can easily be modified, first thing I would have
>> changed is the checker.
>
> That is a normal thing to do with rootkits (return bogus results). Which is
> part of the reason I suggested that method I did. Short of pulling the flash
> you're not going to get a fully unbiased view of what's it on it thusly the
> audit process has some limitations.
>
> A TCPA style boot process would be a better approach. It's certainly not a
> quick fix since it in general can't be retrofited to existing products.
EuSecWest released this interview about the rootkit with its creator,
Sebastian Muniz of Core Security, it also mentions a third party product
to detect some of these issues. Thank whatever diety we like for FX's
work, as obviously Cisco isn't there yet.
http://eusecwest.com/sebastian-muniz-da-ios-rootkit.html
>> Say you did this from a usb stick--I'd just hide the rootkit in memory.
>>
>>> In the end if you subvert a router, presumably you're doing it for a
>>> purpose and given what the device does, that purpose is probably
>>> detectable in a well instrumented network.
>>
>> Subversion may not be the goal. A router is perfect for faking outgoing
>> traffic. This traffic can contain stolen sniffed or relayed data.
>
> If my device is now taking marching orders from a third party then by
> definition it is subverted, regardless of agency or activity.
>
> sub verte - turn from under
>
_______________________________________________
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
