[183761] in North American Network Operators' Group
Re: Synful Knock questions...
daemon@ATHENA.MIT.EDU (Marcin Cieslak)
Tue Sep 15 14:53:10 2015
X-Original-To: nanog@nanog.org
Date: Tue, 15 Sep 2015 18:50:37 +0000
From: Marcin Cieslak <saper@saper.info>
To: Jake Mertel <jake.mertel@ubiquityhosting.com>
In-Reply-To: <CAOhg=RzdgyUOF5t_4vba5Voxy9tr6W-_sgFdEzu9r7RDrajAbA@mail.gmail.com>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Tue, 15 Sep 2015, Jake Mertel wrote:
> Reading through the article @
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html,
> I'm lead to believe that the process(s) they overwrite are selected to
> cause no impact to the device. Relevant excerpt:
>
> ###
> Malware Executable Code Placement
>
> To prevent the size of the image from changing, the malware overwrites
> several legitimate IOS functions with its own executable code. The
> attackers will examine the current functionality of the router and
> determine functions that can be overwritten without causing issues on the
> router. Thus, the overwritten functions will vary upon deployment.
> ###
>
> So, if the device in question isn't using OSPF, then the malware may
> overwrite the code for the OSPF process, allowing them to A) infect the
> device; B) cause no disruption to the operational state of the device
> (since, presumably, OSPF isn't going to be turned on); and C) keep the
> image firmware file size the same, preventing easy detection of the
> compromise.
That explains why on my home IOS router either IPsec works properly or 802.11,
but never both :)
~Marcin
