Much ado about rootkits

Ten days ago, the industry press was buzzing with the news of the IOS rootkit developed by Sebastian Muniz. At that time I wrote “Personally I doubt it would go beyond Tcl scripts that we already know about” … and now it's time to admit that:
  1. I was wrong.
  2. I'm really impressed.
Although the rootkit was just a proof of concept (which is usually enough for a white-hat researcher), it does demonstrate that you can (with proper skills, tools and lots of patience) reverse-engineer IOS, write your own code and insert it into IOS image.

The rootkit presentation prompted Cisco to generate an excellent document describing how to detect patched IOS images and the precautions you can take to ensure an intruder does not get access to your devices.

On the other hand, I was bitterly disappointed by the lack of coverage from the "industry press". There was speculation that Cisco released three patches in anticipation of the presentation (anyone who looked into what those patches were would easily find out that two of them were not IOS related) and a few notable exceptions correctly describing the situation, but some publications that were very loud before the presentation forgot to tell their readers that the threat was "slightly" over-rated. Of course, the lack of interest in non-sensational news has already started conspiracy theories.

If you want to have more details, read a down-to-earth description of the presented rootkit by Nicolas Fischbach.


  1. There is another opportunity to mess up with Cisco routers - the rommon upgrade. Personally I think that the factory partition can also be "upgraded" if patched IOS allows it. Are you interested in exploring this area? :)
  2. I would have been 20 years ago when I was writing (among other things) proof-of-concept viruses :) Those days are long gone ...
  3. On the other hand, I was bitterly disappointed by the lack of coverage from the "industry press".

    It's comforting to see my own feelings mirrored in your post. I was beginning to wonder how many people were paying attention to this.

    Also, in regard to the Full Disclosure post you linked to... The 'n3td3v' character is a well-known and widely ignored self-promoter in the infosec community. His/her latest conspiracy is par for the course.

    Not everything is what it seems . . .
  5. Are there any slights about the presentation?
  6. Sebastian Muniz blog contains all the info (slides and paper) and some interesting posts.
    Take a look at
Add comment