First rootkit for IOS created

If you build it, they will come. So hold onto your hats now that the world has its first ever Cisco router rootkit, reports a story from IDG News Service. Sebastian Muniz, a

researcher with Core Security Technologies, developed the rootkit for Cisco's Internetwork Operating System and will show it off on May 22 at the EuSecWest conference in London. Rootkits are stealth programs, extremely hard to detect. For the most part, they are aimed at Windows. They are typically used to capture desktops and servers for botnets, or to embed keylogging code or spyware. (Although, as the story points out, Sony BMG Music was perhaps the most notorious rootkit. The company built it for DRM, to stop unauthorized CD copying). Rootkits are a favorite of the financially motivated criminal hacker, experts say. But now a rootkit can be placed on a router. What kinds of use can such a thing accomplish? Will it be an easier way to gather multitudes of passwords stored in configuration files? No doubt now that rootkits have been proven for IOS, the world will soon find out. Hackers are nothing if not creative.

Thankfully, the researcher's code can not be used to gain access to the router. The hacker has to break in some other way first. But it can be used to exploit several versions of IOS, and a one-size-fits-many rootkit is definitely not good.

This whole thing is a little reminiscent of the 2005 Black Hat conference, the story points out. Until then IOS wasn't thought of as a possible target for hackers. (Maybe that was naivety on the part of enterprise users -- or perhaps good image management on the part of Cisco.) But, as we all remember, security researcher Mike Lynn gave a controversial presentation showing how to hack into a Cisco router and run a small "shellcode" program. Cisco a) sued Lynn (but the suit was quickly settled) and b) wouldn't comment on this IDG rootkit story. Muniz is understandably nervous. The story says:

"Muniz and his employer clearly have Lynn's experience in mind as they ready for next week's conference. They declined to provide technical details on the presentation ahead of time. "We're still in the process of putting the whole presentation together, and we also need to work with Cisco before we talk to anybody," a Core spokesman said. "The big concern is making sure that everything is cool with Cisco."

Cisco security is being put through the ringer right now. The week has been full of news. Earlier in the week the FBI freaked out about possible malware embedded in fake Cisco gear it found in the DoD's infrastructure. Today, Cisco issued patches to fix holes in Call Manager that could allow DoS attacks.

But interestingly, as with this Cisco rootkit, the possible malware in counterfeit products is more of a theory than a fact. The FBI feared malware because researchers had proven it could be done. But they reportedly didn't find it in the collection of fake gear they confiscated.

Is there a point where security research crosses the line and actually causes the malware infections it says it's trying to avoid? Or is it best that the good guys think like the bad guys, so that vulnerabilities are discovered -- and managed -- by the folks in the white hats?

More from Cisco Subnet:

FBI worried over counterfeit Cisco gear New Cisco TelePresence unit gets personal

Cisco meets Marc Andreessen's Ning social networking site

Ullal departure sign of Cisco transformation

CCNP lab essentials

Jeff Doyle: Understanding MPLS

Go to Cisco Subnet for more Cisco news, blogs, discussion forums, security alerts, book giveaways, and more.

20 useful sites for Cisco networking professionals This month's Cisco Subnet giveaways

Network World's IT Buyer's Guide: Cisco products

Subscribe to Network World's Cisco Alert, which includes a weekly digest of all Cisco Subnet items

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey 2021: The results are in