FireEye: SYNful Knock found in some Cisco routers

FireEye is reporting that at least three Cisco enterprise-level routers may have been implanted with SYNful Knock malware.

FireEye said the routers involved are Cisco models 1841, 2811 and 3825 and the security firm's subsidiary Mandiant confirmed it has found SYNful Knock in 14 of these routers in Ukraine, Philippines, Mexico, and India.

SYNful Knock is described by FireEye as a “stealthy modification of the router's firmware” that is modular and thus easily updated once inserted into a router. The initial infection helps the attacker install a back door into the system, which can be quite difficult to find and remove, but easily accessed by the attacker.

“The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password,” FireEye said in its report.

FireEye said if either the implant or an unauthorized back door is found it most likely indicates the system is compromised.

On a positive note there is slight chance that SYNful Knock will spread on its own.

“As of right now, that is not the greatest concern. SYNful Knock is not self-propagating, thus it would require the attacker to actively infect additional Cisco routers or routers from another company,” a FireEye spokesman told in an email Wednesday.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.