nanog mailing list archives
Re: [NANOG] IOS rootkits
From: Gadi Evron <ge () linuxbox org>
Date: Sun, 18 May 2008 22:30:01 -0500 (CDT)
On Sun, 18 May 2008, Joel Jaeggli wrote:
The result from your check can easily be modified, first thing I would have changed is the checker.That is a normal thing to do with rootkits (return bogus results). Which is part of the reason I suggested that method I did. Short of pulling the flash you're not going to get a fully unbiased view of what's it on it thusly the audit process has some limitations. A TCPA style boot process would be a better approach. It's certainly not a quick fix since it in general can't be retrofited to existing products.
EuSecWest released this interview about the rootkit with its creator, Sebastian Muniz of Core Security, it also mentions a third party product to detect some of these issues. Thank whatever diety we like for FX's work, as obviously Cisco isn't there yet. http://eusecwest.com/sebastian-muniz-da-ios-rootkit.html
Say you did this from a usb stick--I'd just hide the rootkit in memory.In the end if you subvert a router, presumably you're doing it for a purpose and given what the device does, that purpose is probably detectable in a well instrumented network.Subversion may not be the goal. A router is perfect for faking outgoing traffic. This traffic can contain stolen sniffed or relayed data.If my device is now taking marching orders from a third party then by definition it is subverted, regardless of agency or activity. sub verte - turn from under
_______________________________________________ NANOG mailing list NANOG () nanog org http://mailman.nanog.org/mailman/listinfo/nanog
Current thread:
- Re: [NANOG] IOS rootkits, (continued)
- Re: [NANOG] IOS rootkits n3td3v (May 17)
- Re: [NANOG] IOS rootkits Gadi Evron (May 17)
- Message not available
- Re: [NANOG] IOS rootkits Gadi Evron (May 17)
- Re: [NANOG] IOS rootkits Dragos Ruiu (May 18)
- Re: [NANOG] IOS rootkits Suresh Ramasubramanian (May 18)
- Re: [NANOG] IOS rootkits Gadi Evron (May 18)
- Re: [NANOG] IOS rootkits Dragos Ruiu (May 18)
- Re: [NANOG] IOS rootkits Joel Jaeggli (May 18)
- Re: [NANOG] IOS rootkits Gadi Evron (May 18)
- Re: [NANOG] IOS rootkits Joel Jaeggli (May 18)
- Re: [NANOG] IOS rootkits Gadi Evron (May 18)
- Re: [NANOG] IOS rootkits Marc Manthey (May 18)
- Re: [NANOG] IOS rootkits Gadi Evron (May 25)
- Re: [NANOG] IOS rootkits Christian (May 25)
- Re: [NANOG] IOS rootkits Aaron Glenn (May 25)
- Re: [NANOG] IOS rootkits Mark Smith (May 18)
- Re: [NANOG] IOS rootkits Suresh Ramasubramanian (May 18)
- Re: [NANOG] IOS rootkits Gadi Evron (May 18)
- Re: [NANOG] IOS rootkits travis+ml-nanog (May 17)
- Re: [NANOG] IOS rootkits Mark Smith (May 17)
- Re: [NANOG] IOS rootkits Gadi Evron (May 17)