On Tue, 15 Sep 2015, Jake Mertel wrote: > Reading through the article @ > https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html, > I'm lead to believe that the process(s) they overwrite are selected to > cause no impact to the device. Relevant excerpt: > > ### > Malware Executable Code Placement > > To prevent the size of the image from changing, the malware overwrites > several legitimate IOS functions with its own executable code. The > attackers will examine the current functionality of the router and > determine functions that can be overwritten without causing issues on the > router. Thus, the overwritten functions will vary upon deployment. > ### > > So, if the device in question isn't using OSPF, then the malware may > overwrite the code for the OSPF process, allowing them to A) infect the > device; B) cause no disruption to the operational state of the device > (since, presumably, OSPF isn't going to be turned on); and C) keep the > image firmware file size the same, preventing easy detection of the > compromise.
That explains why on my home IOS router either IPsec works properly or 802.11, but never both :) ~Marcin
