Fear Renewed: The Cisco Router Rootkit

The media is all abuzz about a possible Cisco router rootkit that may be part of a presentation at a near future security conference.

While various issues with Cisco gear have emerged over the years and there has been at least one really public overreaction on the part of Cisco to vulnerability disclosure talks, there is probably little to really get spun up about here for the average corporate manager or infosec person.

The big news is that hostile, difficult to detect code could be introduced to routers at any point in their lifespan if an attacker has access to introduce images onto the router. This is a common problem with almost every type of device. There have been a number of trojan horse loads for everything from home firewalls to other forms of network gear for a number of years. Sure, the Cisco router is almost ubiquitous, and sure, it powers a lot of the Internet at large, but I think we pretty much always assumed that attackers with physical access and opportunity could introduce bad things to a device if they gained opportunity.

So before you give in to the hype or fear mongering, consider how this is different than any other form of software/firmware or the like. Likely, you already have a process in place for blowing new firmware onto all devices you purchase before putting them into use (right???). If not, it might be time to think about writing one…

SQL Worm, MBR Rootkit

There is a SQL “worm” spreading through the internet taking advantage of sites vulnerable to SQL injection attacks. The attack injects javascript in to all fields in the database that attempts to exploit browser flaws on clients that visit the infected website.  Web developers should be aware of the increasing attacks using input validation errors as their attack vector.

We have received word of a working MBR rootkit that works on modern systems. Not a new concept, but one that hasn’t had attention for several years. Windows Vista allows users to edit the MBR from userland.  A MBR rootkit has been discovered in the wild at the end of 2007. Keep an eye on this for more information coming in the future.