Security researcher devises rootkit for Cisco's routers

IDG News Service - A security researcher has developed malicious rootkit software for Cisco Systems Inc.'s routers that has placed increasing scrutiny on the routers that carry the majority of the Internet's traffic.

Sebastian Muniz, a researcher at Core Security Technologies Inc., developed the software, which he will unveil on May 22 at the EuSecWest conference in London.

Rootkits are stealthy programs that cover their tracks on a computer, making them extremely hard to detect. To date, the vast majority of rootkits have been written for the Windows operating system; this marks the first time someone has discussed a rootkit written for the Internetworking Operating System used by Cisco's routers. "An IOS rootkit is able to perform the tasks that any other rootkit would do on desktop computer operating systems," Muniz said in an e-mail interview.

Rootkits are typically used to install key-logging software as well as programs that allow attackers to remotely connect with infected systems. However, the most notorious rootkit of all, distributed by Sony BMG Music Entertainment, stopped unauthorized CD copying.

A Cisco rootkit is particularly worrisome because, like Microsoft Corp.'s Windows, Cisco's routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to research firm IDC.

In the past, researchers have built malicious software, known as "IOS patching shellcode," that could compromise a Cisco router, but those programs are custom-written to work with one specific version of IOS.

Muniz's rootkit will be different. "It could work on several different versions of IOS," he said.

The software can't be used to break into a Cisco router -- an attacker would need to have some kind of attack code or an administrative password on the router to install the rootkit. But once installed, it can be used to silently monitor and control the device.

The rootkit runs in the router's flash memory, which contains the first commands that it uses to boot up, said EuSecWest conference organizer Dragos Ruiu.

Muniz said he has no plans to release the source code for his rootkit, but he wants to explain how he built it to counter the widespread perception that Cisco routers are somehow immune to this type of malware. "I've done this with the purpose of showing that IOS rootkits are real and that appropriate security measures must be taken," he said.

Security researcher Mike Lynn offered a similar rationalization for his controversial 2005 Black Hack presentation showing how to hack into a Cisco router and run a small shellcode program.

Lynn's presentation was "very shocking because, until then, nobody thought you could actually build exploits for Cisco," Ruiu said. "This rootkit is the next step."