back to article Rootkits on routers threat to be demoed

Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers. Sebastian Muniz, of Core Security, plans to demo Cisco IOS rootkit software he developed during a presentation at the EuSecWest conference in London on 22 May. Rootkits are malicious packages used to hide the presence of …


This topic is closed for new posts.
  1. PunkTiger
    Thumb Down


    From TFA: "Muniz doesn't intend to release his software."

    Yup. He only intends to show that it can be done, and leave the door open for some other unscrupulous hacker to reinvent his wheel and start infesting routers with rootkits.


    Time to invest a little time with DD-WRT.

  2. Gordon Fecyk

    Oh no! It's the end of the 'net as we know it!!!!!1!1 And s/Microsoft/Cisco

    Man the pumps, batten down the hatches, run for the hills, etc

    To [mis]quote Robert Lemos from 2003:

    "Exclusive reliance on _Cisco's IOS_ operating system could make companies vulnerable to greater damage during a cyberattack, according to an upcoming report from analyst Gartner.",39024651,10006340,00.htm

    Or maybe I should use the Penguin tag and, um, ♫ rant like a Linux Geek... ♫

    "...I know the perfect way to avoid Cisco IOS vulnerabilities. Just switch to Snapgear products, powered by Linux!!!!!!11!1"

  3. Pierre

    Ha, ciscow....

    Cisco ads always made me think of the glorious Apple's "It just works". Now I know why.

    (note to flamers: I DID know why before today. just had to make the joke.)

  4. amanfromMars Silver badge

    Virile Virulent White Knight RouteKits ..... from Alien Crowd Cloud Protection Teams?

    "Security researchers have devised a rootkit capable of covertly monitoring and controlling Cisco routers. ..... Muniz explained: "I've done this with the purpose of showing that IOS rootkits are real, and that appropriate security measures must be taken""

    And what, pray tell, would be appropriate security measures, given the fact that such Pythonesque Intrusions are UNstoppable ..... with whether subsequent and deeper IOS activity be mischievous or malicious, [which invariably is always only a rational decision to reflect whatever degree of financial loss/transparent information sharing that a client/government/virtual machine may wish and/or be forced to demonstrate] ...... being merely the result of ignorant, arbitrary security measures, which could/would be considered as attacks upon the Intrusion.

    It is as well to consider exactly what it is that is going to be lost, or thought to be under attack, for any Defence of the Indefensible has always been, and will always be a Catastrophic Failure, ..... Inviting by SMARTer IOS Default an UNstoppable Force to take All before it with ITControl, as Fully Legitimate Booty/Reward/Full Monty XXXXPEditionary Force Majeure Payment.

    I Kid U Not Cisco ...... and not a Rogue Cowboy/Dumb White Kid in Sight for this is AI Purple Patch.

    And as this is BOFH day and we patiently await our Fix, take AIMagical Mystery Turing Stroll down the Route of that last Sentence which says that Rock is AI Stone and a'Rolling and won't Get Fooled again by Rogue Cowboys with Dumb White Kids in their Sights.

    Step 1 ..

    Steps 2 & 3 .... ....

    Step 4 ...

    cc. Rolling Stone.

    The Network InterNetworking JA is your Lover and Friend ..... Use IT 42 Register and Make Your Dreams Come Alive .......

    There are, of course, always alternate rootkit routes such as the malicious, burnt and burning bushes journey of perpetual war, with its legacy of crippling and crippled heroes and post traumatic stress Zombie Psychoses, for the Nightmare Scenario of Dreams Destroyed and Lives Lost on Foreign and Alien Soil Misadventures..... Real Arrogant Vanity Excursions ..... Raves in Madness.

    ‘Rootkits on routers threat to be demoed’ .... already well demoed???

  5. Man Outraged

    Bugger - takes the wind out of my Phorm argument

    I've been ranting outraged about how Phorm's and other's data pimping kit could introduce network vulnerabilities like this. Just a shame that Cisco have now provided Phorm et. al. with a defence: the network vulnerabilities at the ISP are already there!

    Of course I trust Cisco to identify, root-cause and patch quicker than tinpot data pimpers due to the scale of their operations and amount of kit out there....

  6. Anonymous Coward
    Anonymous Coward

    that guy is smart..

    He developed the rootkit during a presentation?! I'm impressed!

  7. Parax

    Unmanaged Routers next?

    Fortunatly Cisco routers are usually corporate with staff empolyed to manage them however your bog standard home owned 24/7 unmanaged Generic Routers like home hub or divebox well then we have a problem.. Were all doomed I tell ya! well ok maybe not doomed but the ISPs need to wake up and do something about infected customers!

  8. Anonymous Coward

    Using Software to do a hardware job?

    Well thats what you get when you use software to do a job that could done by hardware...

  9. Anonymous Coward
    Anonymous Coward

    Why can't Cisco employ this guy

    So when I have to upgrade the IOS I don't need to go to each one and reboot them at some rediculous hour in the morning. Seems like he can do an 'in place' upgrade.

  10. Anonymous Coward

    This really was inevitable

    The only way to make anything unhackable permanently to quote the UK gov. just don't "connect it to the internet".

  11. Jeff Deacon
    Black Helicopters

    plans to demo Cisco IOS rootkit software

    This will be an interesting case for Mr Plod, the Policeman.

    He will be demonstrating software that he developed (therefore no widely installed customer base), that is only developed to demonstrate bad intentions, in London. As clear a case of a breach of the Computer Misuse Act as could be imagined. See

    Read through the comments as well!

    Interesting times ahead. Should we start a fund for his legal defence costs now?

  12. Anonymous Coward
    Anonymous Coward

    @ Gordon Fecyk

    "I know the perfect way to avoid Cisco IOS vulnerabilities. Just switch to Snapgear products, powered by Linux!!!!!!11!1""

    Err that was a joke right. Why would making all routers rely on a different OS make any difference surely then you would be equally exposed to a single flaw?

  13. JohnG

    If you already have admin credentials.....

    ....why would you arse around with a rootkit? You just login and do what you want directly. If nobody notices you logging in and installing a rootkit, they wouldn't notice changes in routing, access lists and the like.

  14. Bill

    Admin Crednetials

    JohnG got in before me, if you have the admin credentials you pwn the device anyway. Now if he can plant the rootkit without the admin login then I am impressed.

  15. Sodoshi


    Because any compromised system could be noticed by a professional and fixed. The point of the Rootkit is not that you can get in today, but that you can get in every day, and not be noticed by legitimate admins. An exploit is patchable; a root kit is only patchable if you *know it is there*

  16. Steve B

    Why so long?

    If he was smart enough to develop this rootkit during the presentation, how come it has taken nearly a year to raise the issue?

  17. JohnG


    "..any compromised system could be noticed by a professional..."

    If the responsible professionals don't notice someone logging in using admin privileges and then installing the rootkit, they aren't going to notice anything short of the box fallling over, are they? They aren't likely to notice an additional username, for example.

  18. Anonymous Coward
    Anonymous Coward

    Small correction

    Sony did not employ a "rootkit", it employed a "fuckit".

  19. amanfromMars Silver badge

    The devil is in the detail

    "He will be demonstrating software that he developed (therefore no widely installed customer base), that is only developed to demonstrate bad intentions,..."

    If anyone develops software for a System with nothing but good intentions,even though others may think to develop it along lines for bad intentions, will Mr Plod and his mates in Spooky Town, not be interested, unless they were alerted to bad intentions which would prevent good intention use, for quite obviously such a Block on Progress would be Immoral/Unethical/ Not in the Public Interest even should it be argued that Third Party Private and/or Public Gain is derived from Proxy Third Party Use of Systems Resources. So what...Hard Cheese...Get Used to IT being Shared for the Greater Good...... although that subtlety may have to be carefully explained to them.

    And/But of course, the Heavy Squad would also always be interested in those who would abuse Holey Software and Hardware, with no good intention at all. It makes one think that the problem is one at source and within the Hosting Hardware/Software but that is always quietly forgotten for convenience sake?

    It's a bit like selling a lethal weapon and then not expecting anyone to use it and prosecuting them whenever they do, except whenever they use it for those "special" private enterprises which pull on government disguises.

  20. Anonymous Coward
    Anonymous Coward

    @that guy is smart

    He "devised" it before, but "developed" it during the presentation. Two meanings of develop, see? (because I was already on the lookout to see which word they'd use myself)

  21. Gordon Fecyk

    @AC, ya that was a joke

    "Err that was a joke right. Why would making all routers rely on a different OS make any difference surely then you would be equally exposed to a single flaw?"

    Next time I'll use teh j0k3 4l3rt butan, kthx.

    Seriously, I don't understand why the Linux crowd isn't all over this, promoting Snapgear over Cisco, when they gladly do the same thing when some vulnerability in a Microsoft OS gets published. Cisco is more entrenched in the 'net than Microsoft is.

    I would like to see, however, how someone could rootkit a Snapgear box.

  22. Bounty


    if you guess the admin password, you're fine until they change it... this probably doens't happen often, as if you guess it, the admin is too dumb to ever change it.

    If you brute force the password or have a working vunerability, then I guess this kit could help... course their IDS sucks if it didnt' notice. Hope they don't ever patch it, that might break your rootkit, of if Cisco pays attention and checks for it first, might reveal your activities/IP etc.

    So if the admin is lazy, but put in a good password.. you don't need this kit after you root it, as they'll never change it or patch it.

    If the admin is not lazy and you have zero day exploit, your rootkit needs to not break when the admin does patch it, or worse reveal you.

    They mention 'covert' in the article...but how covert? To most users nc listening on port 4444 in the startup folder is covert because users are dumb. If it really is a 'stealth' rootkit that survives patching and rebooting, that is impressive.

  23. Robert Armstrong
    Paris Hilton

    All your route belong to us

    This was inevitable. Perhaps I will take down my routers and use Windows Server as my I know Paris would.

  24. Alpy

    Admin rights required...

    ....sort of makes this rootkit issue a non starter. Having to brute force the router which should be protected with a AAA TACACS or Radius server, and on an out of band management interface with ACL's would make this very very very difficult to achieve.

    However if the rootkit code is added to a version of IOS binary then system admins could actually be installing the rootkit and not knowing. Advice would be to only download binarys from and not to get them from any where else. Also check the MD5 and checksum hashes to make sure they match on

    This is all just standard best practice. Common sense rules all.


  25. Anonymous Coward
    Anonymous Coward

    Not sure he is dispelling a myth.

    Any system that uses flash memory or rw memory for the operating system can theoretically be rooted.

    Unless the systems use ROM with no RAM or hardware protected RAM it can use a similar mechanism that is used when updating the router, which appears to be what he has done.

    Though I agree there are a load of numpties who profess to be in IT (generally Universities) who are under the delusion that it is not possible, but most don't take those folks seriously, perhaps the guy had run into that little sect.

    Rootkits are the last thing in the chain of compromise, used generally to maintain control and thwart detection of the break-in. I am sure others have done this years ago, and I am somewhat surprised he is the first to make it public.

  26. Joe Drunk
    Paris Hilton

    Stop the FUD

    Take a deep breath and remove the tinfoil hats. As Parax pointed out Cisco

    gear is typically owned by large megacorps with IT staff that manages that stuff

    24/7 (like I do). Cisco IOS is not subject to "drive-by installs" so you will not get

    this rootkit by opening an email with naked pics of Anna Kournikova or playing

    a video file that needs installation of a funky video player you just got from


    Updating IOS on Cisco gear is akin to installing a new OS on your PC. It doesn't

    happen by accident. It can either be done via TFTP or physically via CF flash and

    the device needs to be rebooted. TFTP is blocked externally on most corporate

    WANS so it can't be done externally. All the firms I have worked at had test labs

    where any new release of IOS had to be thoroughly tested then had to receive

    approvals from IT/business units. If it actually made it through this process it

    would be deployed on a small number of devices at first and monitored before

    upgrading the whole backbone. In fact, unless the current IOS has serious bugs

    or the new IOS offered significant improvements in security or performance we

    don't care about new IOS releases. The risk is just too great.

    This of course does not take into account the smaller firms that don't block TFTP and have easy to guess passwords on their devices. Or how about the way Dave and

    Busters got hacked?

    The hackers posed as network techs and gained access to the comm rooms where the servers were located to physically install the sniffier software. They

    were caught because the sniffer software was buggy and would not restart when

    the machines were rebooted so the hackers had to keep returning to restart the

    sniffer software.

    Paris because even she could write better sniffer software.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2022