On Sun, 18 May 2008, Joel Jaeggli wrote: >> >> The result from your check can easily be modified, first thing I would have >> changed is the checker. > > That is a normal thing to do with rootkits (return bogus results). Which is > part of the reason I suggested that method I did. Short of pulling the flash > you're not going to get a fully unbiased view of what's it on it thusly the > audit process has some limitations. > > A TCPA style boot process would be a better approach. It's certainly not a > quick fix since it in general can't be retrofited to existing products.
EuSecWest released this interview about the rootkit with its creator, Sebastian Muniz of Core Security, it also mentions a third party product to detect some of these issues. Thank whatever diety we like for FX's work, as obviously Cisco isn't there yet. http://eusecwest.com/sebastian-muniz-da-ios-rootkit.html >> Say you did this from a usb stick--I'd just hide the rootkit in memory. >> >>> In the end if you subvert a router, presumably you're doing it for a >>> purpose and given what the device does, that purpose is probably >>> detectable in a well instrumented network. >> >> Subversion may not be the goal. A router is perfect for faking outgoing >> traffic. This traffic can contain stolen sniffed or relayed data. > > If my device is now taking marching orders from a third party then by > definition it is subverted, regardless of agency or activity. > > sub verte - turn from under > _______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
