​SYNful Knock – backdoor in Cisco devices

Recently, Fireeye researchers have discovered a new type of malware implant in Cisco router that allows attackers to gain and keep access to these devices.

The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. The implant also provides unrestricted access using a secret backdoor password.

Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password. The backdoor password provides access to the router through the console and Telnet.

The implant persists on reboot, but the modules loaded by the attackers only exist in RAM, and therefore are wiped following a reboot.

Obviously, the attacker requires valid administrative credentials or physical access to the system to load the modified IOS.

Up to now, the modified IOS has been found on:

• Cisco 1841
• Cisco 2811
• Cisco 3825

but it’s likely that other devices are affected, too…

Is it your router infected? The are several ways to find infected router:

1. Using a show command:

show platform | include RO, Valid

Implanted router may produce no results, otherwise you see something like this:

Ciscozine#show platform | include RO, Valid
16M 0x40000000:0x41FFFFFF 0x00000000:0x01FFFFFF CacheMode=3, RO, Valid
1M 0x42000000:0x421FFFFF 0x02000000:0x021FFFFF CacheMode=3, RO, Valid
1M 0x42200000:0x423FFFFF 0x02200000:0x023FFFFF CacheMode=3, RO, Valid
1M 0x42400000:0x425FFFFF 0x02400000:0x025FFFFF CacheMode=3, RO, Valid
64K 0x42600000:0x4261FFFF 0x02600000:0x0261FFFF CacheMode=3, RO, Valid
64K 0x42620000:0x4263FFFF 0x02620000:0x0263FFFF CacheMode=3, RO, Valid
Ciscozine#

2. Using the python script SYNfulKnock_scanner

3. Using the NSE script with NMAP

Note: Cisco Talos has published the Snort Rule SID:36054 to help detect attacks leveraging the SYNful Knock malware.

How can I prevent IOS implant?

1. Using a strong password
2. Control physical access to the device
3. Using the MD5 File Validation feature with the command “verify /md5 filesystem:filename [md5-hash]”, before loading the new IOS.

References:

• https://www2.fireeye.com/WEB-2015-SYNful-Knock.html
• http://blogs.cisco.com/security/offline-analysis-of-ios-image-integrity
• http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html