Cisco tool IDs malware in the firmware
Your SYNs, forgiven
Cisco's moved on the “SYNful knock” vulnerability with a free tool letting admins test their routers for fudged firmware.
The vulnerability emerged in August, when The Borg warned that its ROMMON firmware had been reverse-engineered. That meant a privileged user could flash routers with compromised versions.
Within a month, it was spotted in the wild.
The vulnerability got the name “SYNful knock” because the currently-known version of the malware givers a characteristic response to SYN packets.
That's let Cisco's security team, working with internal and external customers, to get copies of the malware and analyse its behaviour.
William McVey of the company's Talos Group writes: “Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware”.
He warns that the scanner only works on the currently-known malware: “This tool can only detect hosts responding to the malware 'knock' as it is known at a particular point in time … it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.”
To run the tool, you'll need Python 2.7 and the scapy 2.3.1 packet manipulation library.
McVey's post includes guidelines for running the tool, which can be downloaded here. ®