Router Rootkits

Although rootkits certainly aren't new they are becoming more of a potential problem as time wears on. In the past we've typically had to contend with defending desktops and servers against such menaces, however attention must also be paid to network devices, such as routers, because trends indicate that we're headed into a period of time when more attacks will be targeted directly at network-enabled devices.

For example, in a recent article (at the URL below) I discussed a presentation given by Rich Smith of HP Systems Security Lab at the recent EUSecWest conference in London where he outlined why he thinks Phlash attacks are destined to become a big security concern. Phlash attacks target network-enabled devices where faulty code is used to overwrite existing flash-based code which in turn can cripple a device beyond the point of recovery.
http://windowsitpro.com/Article/ArticleID/99301

Sebastian Muniz also gave a presentation at the conference regarding similar attacks against Cisco routers. Muniz's approach doesn't involve crippling devices but instead involves implanting a rootkit by modifying an image of Cisco's Internetwork Operating System (commonly referred to IOS) router code. Muniz explained that to do that one first must obtain an IOS image, decompress it, analyze the code using specialized tools to locate strings and functions, overwrite certain strings and functions with malicious code, re-compress the image, and adjust the checksums to match the altered image. Later, if someone obtains such an image (e.g., from an unofficial distribution site) and installs it into their router then of course it's game over and the bad guy wins.

What Muniz's research reveals is that it's not only entirely possible to inject a rootkit into a device that runs IOS, but that it's also possible to do so without access to IOS source code, that it's possible to make a rootkit persistent across device reboots, and most importantly that it's possible to write one IOS rootkit that can be used with different CPU architectures. Of course the attack might also grow to involve an administrator (if the administrator acquires an altered IOS image), thereby turning the administrator into a tool of attack.

The lessons here are fairly clear: Never use IOS images that are not obtained directly from Cisco. If you happen to buy used Cisco hardware then be certain that you load new IOS code onto the device, otherwise you run a high risk because you can't be sure where existing IOS code came from. The same premise holds true in another context: Be very careful who you allow to manage your routers because it's entirely feasible that an employee might be the one to intentionally load altered IOS code.

Beyond injecting rootkits into Cisco routers, the same sort of approach could be possible on other network-enabled devices. So for example, instead of using a Phlash attack to cripple a device, a Phlash attack could be used to install a rootkit, which might be far more appealing to the bad guys.

For more information about Muniz's research, view his presentation at the first URL below. Also read what Nicolas Fischback of COLT Telecom had to say (at the second URL below) about Minuz's research. Fischback provided links to related information that can help you better understand how these trends are evolving over time. You might also want to read the Recurity Lablog article (dated May 27, 2008, at the third URL below) that discusses this topic. Be sure to read Cisco's Security Response to this particular IOS rootkit at the fourth URL below. And finally, if you're curious as to whether your IOS has been altered then consider using Recurity Lab's online Cisco Incident Response (CIR) tool (at the fifth URL below), which incidentally can detect the rootkit developed by Muniz during his research.
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20080529/302ba0fe/attachment-0001.ppt
http://lists.grok.org.uk/pipermail/full-disclosure/2008-May/062544.html
http://www.phenoelit.net/lablog/
http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml
http://cir.recurity.com/cir/