- Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathmuch-ado-about-rootkits.html
12 lines (10 loc) · 2.03 KB
/
much-ado-about-rootkits.html
1
2
3
4
5
6
7
8
9
10
11
---
url: /2008/05/much-ado-about-rootkits/
title: "Much ado about rootkits"
date: "2008-05-31T07:31:00.002+02:00"
tags: [ security ]
---
Ten days ago, the industry press was buzzing with the news of the IOS rootkit developed by Sebastian Muniz. At that time I wrote “<ahref="/2008/05/guide-to-harden-cisco-ios-devices/">Personally I doubt it would go beyond Tcl scripts that we already know about</a>” … and now it's time to admit that:<ol><li>I was wrong.</li>
<li>I'm really impressed.</li>
</ol>
Although the rootkit was just a proof of concept (which is usually enough for a white-hat researcher), it does demonstrate that you can (with proper skills, tools and lots of patience) reverse-engineer IOS, write your own code and insert it into IOS image.<br/><br/>The rootkit presentation prompted Cisco to generate an excellent document describing how to <ahref="http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml">detect patched IOS images and the precautions you can take to ensure an intruder does not get access to your devices</a>.<br/><br/>On the other hand, I was bitterly disappointed by the lack of coverage from the "industry press". There was <ahref="http://news.cnet.com/8301-10789_3-9952923-57.html">speculation that Cisco released three patches in anticipation of the presentation</a> (anyone who looked into what those patches were would easily find out that two of them were not IOS related) and a few <ahref="http://news.yahoo.com/s/cmp/20080528/tc_cmp/208400389">notable exceptions correctly describing the situation</a>, but some publications that were very loud before the presentation forgot to tell their readers that the threat was "slightly" over-rated. Of course, the lack of interest in non-sensational news has <ahref="http://seclists.org/fulldisclosure/2008/May/0597.html">already started conspiracy theories</a>.<pclass="more">If you want to have more details, read a <ahref="http://seclists.org/fulldisclosure/2008/May/0615.html">down-to-earth description of the presented rootkit</a> by Nicolas Fischbach.</p>
