FireEye 發表了一篇在 Cisco Router 上發現被植入的後門:「 SYNful Knock - A Cisco router implant - Part I 」。
發現這些被植入的 router 被散佈在四個地區:
Mandiant can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India.
包括了這幾個型號:
後門的特性是使用特殊的封包啟動:
SYNful Knock is a stealthy modification of the router's firmware image that can be used to maintain persistence within a victim's network. It is customizable and modular in nature and thus can be updated once implanted. Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication.
最主要的重點是把記憶體保護機制關閉 (都變成 RW):
The malware forces all TLB Read and Write attributes to be Read-Write (RW). We believe this change is made to support the hooking of IOS functions by loaded modules.
文後也有提到 Cisco 的文章,如何 dump image 分析:「 Offline Analysis of IOS Image Integrity 」。