Viral Infections in Cisco IOS
Ariel Futoransky
BlackHat ’08 USA. Las Vegas, NE. August 6th
Date published
Cisco IOS


Rootkits are very common in most popular operating systems like Windows, Linux and Unix, but they are rarely seen in embedded OSes. This is because embedded OSes are often closed-source, making the reverse engineering process harder than usual. In real life, once an attacker takes control of a system, he or she needs to maintain access to it to install a rootkit. The rootkit seizes control of the entire system by hiding files, processes and network connections -- allowing unauthorized users to act as system administrators.

This presentation demonstrates that a rootkit can be easily created and deployed for a closed-source OS like Cisco IOS, survive most security measures, and run unnoticed by system administrators. The presentation offers different ways to infect a target IOS, such as run-time patching and image binary patching. To present the binary patching technique from a practical point of view, Futoransky offers a set of Python scripts that can insert a generic rootkit implementation called DIK (Da Ios rootKit) -- and it's done in plain C for IOS. Other techniques including run-time image infection are also covered in detail.