Cisco IOS Rootkit Demonstrated

May 27, 2008 – 7:02 PM

Last Thursday at the EUSecwest conference, security researcher Sebastian Muniz of Core Security Technologies demonstrated a proof-of-concept rootkit for Cisco’s IOS router operating system.A root kit consists of one or several related applications designed to give the program user root or administrator privileges on a given computer, whether or not that user is authorized to operate with such privileges. In general, rootkits are designed to operate covertly, often in conjunction with malware.

Perhaps the highest profile rootkit incident in recent years occurred in 2005, when security researcher Mark Russinovich found that Sony BMG had been distributing a rootkit with some of its music CDs as a means of copyright protection.

While rootkits for common operating systems, like Windows, are well known, they haven’t been an issue for Cisco’s IOS until now.

In a post to the Full Disclosure mailing list, security researcher Nicolas Fischbach wrote, “At the end of the day this is nothing new from a rootkit technology point of view, but it’s in the IOS/router world.”

The reason a potential vulnerability like this is noteworthy is because so many routers run Cisco’s IOS. Cisco routers accounted for 65% of router revenue worldwide in 2007, according to Dell’Oro Group, a telecommunications analysis firm.

Fischbach’s view is that the sky isn’t falling, at least not yet. There is a tool available to detect whether IOS has been altered: CIR, which stands for “Cisco Information Retrieval.” Furthermore, there are still hurdles to installing a rootkit in a Cisco router.

Fischbach characterized the installation process as “noisy” and as something that administrators should notice, unless they acquired the router through questionable or illegal channels.

As it happens, counterfeit routers have been keeping the FBI busy. In late February, the FBI said that various law enforcement agencies had seized over $76 million in counterfeit Cisco hardware and labels over the past two years.

Cisco recommends that customers follow industry best-practices to keep their networks secure and advises customers to read its publicly posted response to Muniz’s work.

“We thank Mr. Sebastian Muniz and Core Security Technologies for working with us towards the goal of keeping the Internet and Cisco networks, as a whole, secure,” Cisco said in an e-mailed statement. “We are currently in the process of analyzing the information that Mr. Muniz and Core Security Technologies presented at the conference.”

Source: Information Week