Incident Response, TDR, Vulnerability Management

Researcher develops rootkit for Cisco routers

The apparent development of a malicious rootkit for Cisco System's routers, which control much of the traffic on the internet, is a wake-up call to network administrators to ensure their Cisco devices are properly secured and configured.

A researcher with Core Security Technologies, Sebastian Muniz, has reportedly developed the rootkit, which is a piece of "stealth" that hides in the operating environment of a computer. Muniz is scheduled to demonstrate the rootkit on Thursday at the EuSecWest security conference in London.

That a researcher would develop a rootkit, which is hard to detect after it infects a system, is not at all surprising, Eric Maiwald, a vice president and service director with the Burton Group consultancy, told

"The more powerful the routers become, the more like a computer system they are, and if they're a computer system, that implies some type of operating system with enough code and vulnerabilities to do something with," he said.

Muniz's rootkit, unlike prior attempts that attacked specific versions of Cisco's Internet Operating System (IOS), will work against multiple versions of the IOS. The IOS is the software Cisco developed to control, configure and manage its routers, which make up nearly two-thirds of the routers on the internet.

Muniz has said he does not plan to release the source code for his rootkit. He has said he wants to show how he developed it to contradict the perception that Cisco routers and their IOS are impervious to malware attacks.

A rootkit for a Cisco router could carry several types of malicious payloads, Maiwald said. These could allow an attacker to control or monitor the router.

"If you can control the router, you could re-direct traffic or cause denial of service attacks," he said. "If you can monitor traffic on the router, you might be able to see what is passing on the network to the point of eavesdropping."

The rootkit will not, however, permit an attacker to hack into a router itself. The attacker would need access to the router via  an administrative password or another vulnerability within the router to install the rootkit.

"In of itself, the rootkit won't take down all the routers on the internet," Maiwald said. "But it is something else that can happen to a router -- if systems administrators don't take proper configuration controls and proper authentication procedures when they log in, and if they deploy routers with easy-to-guess passwords, then it's a problem."

Cisco responded to's request for comment on the rootkit with a prepared statement.

"We do not have enough details from the researcher to make any conclusive statement at this time," the statement said. "We take all security vulnerabilities seriously. We follow a well-established disclosure process for the public reporting of security vulnerabilities. Our practice is to issue a public security advisory or security response that include corrective measures so customers can address the issue. We are working directly with Core Security Technologies to get the data we need. Once we have the data we need, we'll evaluate it and respond in the framework of our corporate disclosure policy."

Cisco, in 2005, responded to a similar incident, in which security researcher Mike Lynn demonstrated how to hack into a Cisco router and run a shellcode program, by suing Lynn. In the suit, Cisco claimed Lynch had exposed trade secrets in violation of his Cisco end-user license agreement.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.