[183766] in North American Network Operators' Group
Re: Synful Knock questions...
daemon@ATHENA.MIT.EDU (Ricky Beam)
Tue Sep 15 15:27:53 2015
X-Original-To: nanog@nanog.org
To: NANOG <nanog@nanog.org>
Date: Tue, 15 Sep 2015 15:27:47 -0400
From: "Ricky Beam" <jfbeam@gmail.com>
In-Reply-To: <CAOe-DYAKnZ68zP=NLgFWX-zZ3dGD_32jdO9pZy7k4J1Huour9w@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglas
<Michael.Douglas@ieee.org> wrote:
> Does anyone have a sample of a backdoored IOS image?
The IOS image isn't what gets modified. ROMMON is altered to patch IOS
after decompression before passing control to it. I don't know WTF
they're going on and on about "file size". There are many reasons to
overwrite. The most likely reason the hack does this is because it's
easier than a dynamic allocation of executable memory. Plus, modifications
done by ROMMON cannot allocate IOS system memory; their hooks MUST rewrite
existing code SOMEWHERE.
Again, this is a ROMMON HACK, that doctors the running IOS image IN MEMORY
before starting IOS.
