applied security conferences and training: CanSecWest | PacSec | EUSecWest |

EUSecWest 2008

The third annual EUSecWest conference will be held on May 21/22 at the Sound club in Leicester Square in central London, U.K.

May 16, 2008

Da IOS Rootkit

For those of you who haven't heard, Sebastian Muniz of CORE Security will release a proof of concept rootkit for Cisco's IOS. Wanting to know more I contacted him, and he agreed to answer questions about his work.

Sean Comeau: People have been talking about IOS rootkits for years. Although there have been trojan firmwares, particularly based on widely distributed 11.x source code, there isn't anything public that will work on most deployments like is common with general purpose systems. Why hasn't it been done before?

Sebastian Muniz: Usually research like this takes long time and can only be performed by people that usually do this kind of low-level work (disassembly, reversing, etc) so the idea is known but not the implementation details.

Sean Comeau: Do you know of any IOS rootkits that have been found in the wild?

Sebastian Muniz: I've been told by the cousin of a friend of my girlfriend that this kind of rootkit has previously been used :)

Sean Comeau: Tell me about your code, Da IOS Rootkit. How stealthy is it? What are its features? Can it survive IOS upgrades and will it work on Catalyst switches as well?

Sebastian Muniz: The rootkit consists of a binary modification to the IOS image downloaded from the device so it has a pretty big and obvious footprint. More stealth is not needed for the presentation to make the points I want to make.

Sebastian Muniz: The main feature of Da IOS Rootkit is the universal password. Every call to the different password validation routines grant access to the user if the unique rootkit password is specified. This is what will be in the public release. Other features such as hiding files, processes and connections will not be included. The core of the rootkit code is written in plain C instead of assembly. It doesn't persist through upgrades yet but future versions probably will.

Sebastian Muniz: I haven't tested on Catalyst switches because they run CatOS which a different than IOS. The rootkit code is rather generic so it should work with some modifications. As a matter of fact, some parts of the code are so generic that they will work on any other class of devices (not even CISCO devices).

Sean Comeau: The fact that Microsoft Windows is closed source hasn't stopped rootkit development on that platform. Why is IOS any different?

Sebastian Muniz: I suppose that this is for various reasons. First because people tend to think that if something is inside a black closed box (aka appliances) then it's safe. Another reason could be that Windows information has been around for years but in the case of IOS, CISCO has made a good job of supplying the users/admins every info they need without giving away implementation details of the IOS core. Another reason, and I think the most reasonable, is that creating a rootkit for an OS with a small number of different version is easier than for IOS which is deployed with thousands of different versions.

Sean Comeau: What tools are useful for anyone interested in reverse engineering IOS?

Sebastian Muniz: IDA Pro is definitely a must-have tool and IDA-Python, gdb cross-compiled for the target processor (MIPS or PowerPC in IOS case) and HT (http://hte.sourforge.net) which is an excellent hex editor and decompiler with ELF header manipulation capabilities. In my opinion, those three tools will help anyone in reverse engineering anything! "Inside Cisco IOS Software Architecture" is good reading material.

Sean Comeau: What was the hardest part of building your rootkit?

Sebastian Muniz: Making my stomach support all that coffee during several nights of reversing multiple IOS images, trying to understand code that does the same but on different architectures (PowerPC and MIPS the most common) and trying to identify and understand key structures of Operating System.

Sebastian Muniz: Testing the ideas most of the times means that your test device will reboot several times, so patience is definitely needed for this work.

Sean Comeau: Can you describe some of those key structures?

Sebastian Muniz: At the moment I don't want to go into details but let says that those structures are the same as in any other OS like processes list, open handles for files, connections, etc.

Sean Comeau: Are you planning to continue working on new features or are you satisfied with having proven the concept?

Sebastian Muniz: I'll continue working on that because I have several new ideas but let's say that this is only the tip of the iceberg ;)

Sean Comeau: Are there any existing tools to detect unauthorized modification of IOS?

Sebastian Muniz: Yes, CIR "Cisco Information Retrieval" created by FX is THE TOOL in this case. It's a framework capable of detecting those kind of modifications. This tool analyzes crash dumps by performing several tests to it and taking a clean IOS image as a starting point. This is a great tool and probably the only one able to do this but it relies in the IOS functions that generate the crash dump so, if those functions are hooked by the rootkit, the result may not be correct. The thing is not that easy because CIR is able to perform several tests and could detect the rootkit but this will probably be like a race, competing with each other to see who has the latest trick to bother it's counterpart. But in the case of the version of rootkit (DIK) that will be presented at the conference, CIR will be able to detect it.

Sean Comeau: Are you planning to offer any generic detection tools?

Sebastian Muniz: There are no plans at the time to offer a detection tool but details on how to detect this kind of rootkit will be given during the talk at the conference.

Sean Comeau: Thanks Sebastian, I'm looking forward to hearing the full details at EUSecWest. Register now.

Read more:

Hacker writes rootkit for Cisco's routers by Robert McMillan of Network World
Cisco IOS rootkit to be revealed at London conference by Richard Thurston of SC Magazine
Rootkits on routers threat to be demoed by John Leyden of The Register
Security Researcher to release Cisco rootkit at EUSecWest by Nathan McFeters of ZDNet
Discussion on NANOG mailing list
Discussion on Binary Revolution