Killing the myth of Cisco IOS rootkits:DIK (DA IOS ROOTKIT)

Rootkits are very common in most operating systems, including popular Windows, Linux and Unix software, or any variant of those systems, however they are rarely found in embedded OSes.

This is due to the fact that most of the time embedded OSes have closed source code, with the internals of the software unknown to the public, making the reverse engineering process harder than usual.

In real life, it's very common that once an attacker takes control of a system, he or she will want to maintain access to it, and in an attempt to keep those actions undetected a rootkit will be installed.

The rootkit seizes control of the entire OS running on the compromised device by hiding files, processes and network connections, and allowing unauthorized users to act as system administrators -- while retaining its stealth capabilities and hiding the attacker's presence.

This paper demonstrates that a rootkit with those characteristics can easily be created and deployed for a closed source OS like Cisco IOS and run hidden from system administrators surviving most, if not all, of the security measures that can be deployed by experts in the field.

As a proof of this theory, several different techniques for infecting an IOS target will be described, including image binary patching.

From a practical point of view, one of these techniques will be implemented using a set of Python[1] scripts that provide the necessary methods to insert a generic rootkit implementation written in the C programming language-- called DIK (Da IOS Rootkit)- into the target IOS.