A security researcher has developed malicious rootkit software for Cisco
Systems' routers, a development that has placed increasing scrutiny on the
routers that carry the majority of the Internet's traffic.

Sebastian Muniz, a researcher with Core
Security Technologies, developed the software, which he will unveil on May
22 at the EuSecWest
conference in London.

Rootkits are stealthy programs that cover up their tracks on a computer, making
them extremely hard to detect. To date, the vast majority of rootkits have been
written for the Windows operating system, but this will mark the first time
that someone has discussed a rootkit written for IOS, the Internetwork Operating
System used by Cisco's routers. "An IOS rootkit is able to perform the
tasks that any other rootkit would do on desktop computer operating systems,"
Muniz said in an e-mail interview.

Rootkits are typically used to install key-logging software as well as programs
that allow attackers to remotely connect with the infected system. However,
the most notorious rootkit of all, distributed
by Sony BMG Music, stopped unauthorized CD copying.

A Cisco rootkit is particularly worrisome because, like Microsoft's Windows,
Cisco's routers are very widely used. Cisco owned nearly two-thirds of the router
market in the fourth quarter of 2007, according to research firm IDC.

In the past, researchers have built malicious software, known as "IOS
patching shellcode," that could compromise a Cisco router, but those programs
are custom-written to work with one specific version of IOS.

Muniz's rootkit will be different. "It could work on several different
versions of IOS," he said.

The software cannot be used to break into a Cisco router -- an attacker would
need to have some kind of attack code, or an administrative password on the
router to install the rootkit, but once installed it can be used to silently
monitor and control the device.

The rootkit runs in the router's flash memory, which contains the first commands
that it uses to boot up, said EuSecWest conference organizer Dragos Ruiu.

Muniz said he has no plans to release the source code for his rootkit, but
he wants to explain how he built it to counter the widespread perception that
Cisco routers are somehow immune to this type of malware. "I've done this
with the purpose of showing that IOS rootkits are real, and that appropriate
security measures must be taken," he said.

Security researcher Mike Lynn offered a similar rationalization for his controversial
2005 Black Hack presentation showing how to hack into a Cisco router and run
a small "shellcode" program.

Lynn's presentation was "very shocking because, until then, nobody thought
you could actually build exploits for Cisco," Ruiu said. "This rootkit
is the next step."

Within hours of his 2005 Black Hat talk, Lynn was sued by Cisco, which claimed
he had exposed trade secrets in violation of his Cisco end-user license agreement.

Cisco's suit was quickly settled, but Muniz and his employer clearly have Lynn's
experience in mind as they ready for next week's conference. They declined to
provide technical details on the presentation ahead of time. "We're still
in the process of putting the whole presentation together, and we also need
to work with Cisco before we talk to anybody," a Core spokesman said. "The
big concern is making sure that everything is cool with Cisco."

Cisco declined to comment for this story.

Jennifer Granick, the Electronic Freedom Foundation
lawyer who represented Lynn in 2005, said that Cisco could bring these trade-secret
claims against Muniz, but because the technical community reacted so negatively
to the 2005 lawsuit, she believes that this may not happen. "Cisco thinks
of itself as really researcher-friendly," she said. "I think they
will be very careful before filing legal action."

Still, the rootkit comes at a sensitive time for Cisco. Last week, the New
York Times reported that the U.S. Federal Bureau of Investigation considers
the problem of fake Cisco gear a critical
U.S. infrastructure threat.

In late February the FBI culminated a two-year investigation by breaking up
a counterfeit Cisco distribution network and seizing an estimated US$3.5 million
worth of components manufactured in China. According to an FBI
presentation on Operation Cisco Raider, fake Cisco routers, switches and
cards were sold to the U.S. Navy, the U.S. Marine Corps., the U.S. Air Force,
the U.S. Federal Aviation Administration, and even the FBI itself.

The U.S. Department of Defense has expressed concerns that the lack of security
in the microelectronics supply chain could threaten the country's defense systems,
and the idea that an attacker could sneak a rootkit onto a counterfeit Cisco
system has security experts worried.

Cisco routers are typically compromised by hackers who are able to guess their
administrative passwords, said Johannes Ullrich, chief research officer with
the SANS Institute. But there
are few tools around to check these systems for signs of hacking. "How
would you find out?" he said. "That's the big problem."

IDG News Service

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine