Security researcher Sebastian Muniz of Core Security Technologies will be unveiling a malicious rootkit that he developed for Cisco’s routers at the EuSecWest conference on May 22.
Traditionally the domain of operating systems, rootkits are essentially malware that makes extraordinary efforts to hide themselves by subverting key processes or files on a target operating system.
A Cisco rootkit is particularly worrisome because, like Microsoft’s Windows, Cisco’s routers are very widely used. Cisco owned nearly two-thirds of the router market in the fourth quarter of 2007, according to IDC.
If Muniz’s claim is true, this could also mark the first time that someone is presenting a rootkit specifically written for Cisco’s proprietary Internetwork Operating System, or IOS. Unlike specific “IOS patching shellcode” exploits that are custom-written with a specific version of IOS in mind, Muniz’s rootkit is particularly virulent as it would work on several different versions of IOS.
While a method of compromising a deployed router is still required, the door is now open for the router to be tempered prior to delivery, from which it can be used to covertly monitor and subvert the device as necessary.
In case you think tempering at the supply-chain level is unlikely, I have posted a story earlier this week on an FBI investigation that recovered $3.5 million worth of fake Cisco network equipment.