Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: [Full-disclosure] [NANOG] IOS rootkits

From: Kurt Dillard (kurtdillardmsn.com)
Date: Sun May 18 2008 - 13:45:48 CDT

Apparently Gadi doesn't understand either. Rootkits don't need to exploit
vulnerabilities in an OS, they leverage the design of the OS or the
underlying hardware platform. You don't 'patch' the design of something. You
want to stop rootkits in IOS? Don't allow it to run arbitrary code, run the
OS in firmware rather than from writable storage. Go study up on rootkits
for a few weeks before you complain about someone demonstrating one. Unlike
you guys I happen to know what I am talking about as I've been studying
malware including rootkits for over 10 years. By studying I mean taking them
apart, figuring out how they work, and finding tools to deal with them; not
reading some half-assed article on CNET or Ziff-Davis full of technical

Over the past few years Cisco, Apple, and Oracle have behaved an awful lot
like Microsoft did 10 years ago, trying to pretend that their platforms are
immune to malware and refusing to approach vulnerabilities head-on with an
attitude of rational pragmatism. Dave Litchfield and his team have dragged
Oracle kicking and screaming to the world of reality, the same has yet to
happen with the other two firms.

-----Original Message-----
From: full-disclosure-bounceslists.grok.org.uk
[mailto:full-disclosure-bounceslists.grok.org.uk] On Behalf Of n3td3v
Sent: Sunday, May 18, 2008 12:50 PM
To: full-disclosurelists.grok.org.uk
Subject: Re: [Full-disclosure] [NANOG] IOS rootkits

On Sun, May 18, 2008 at 4:37 PM, Kurt Dillard <kurtdillardmsn.com> wrote:
> Obviously you have no idea how a rootkit works much less how to defend
> against them, your rants make no sense.
> Kurt


Gadi Evron is punching into this guy as well, check this out:

---------- Forwarded message ----------
From: Gadi Evron <gelinuxbox.org>
Date: Sun, May 18, 2008 at 3:48 PM
Subject: Re: [NANOG] IOS rootkits
To: Dragos Ruiu <drkyx.net>
Cc: topocoresecurity.com, fxrecurity-labs.com, nanogmerit.edu,

On Sun, 18 May 2008, Dragos Ruiu wrote:
> On 17-May-08, at 3:12 AM, Suresh Ramasubramanian wrote:
>> On Sat, May 17, 2008 at 12:47 PM, Matthew Moyle-Croft
>> <mmcinternode.com.au> wrote:
>>> If the way of running this isn't out in the wild and it's actually
>>> dangerous then a pox on anyone who releases it, especially to gain
>>> publicity at the expensive of network operators sleep and well being.
>>> May you never find a reliable route ever again.
>> This needs fixing. It doesnt need publicity at security conferences
>> till after cisco gets presented this stuff first and asked to release
>> an emergency patch.
> Bullshit.
> There is nothing to patch.
> It needs to be presented at conferences, exactly because people will
> play ostrich and stick their heads in the sand and pretend it can't
> happen to them, and do nothing about it until someone shows them, "yes
> it can happen" and here is how....
> Which is exactly why we've accepted this talk. We've all known this is
> a possibility for years, but I haven't seen significant motion forward
> on this until we announced this talk. So in a fashion, this has
> already helped make people more realistic about their infrastructure
> devices. And the discussions, and idea interchange that will happen
> between the smart folks at the conference will undoubtedly usher forth
> other related issues and creative solutions. Problems don't get fixed
> until you talk about them.

Dragus, while I hold full disclosure very close and it is dear to my
heart, I admit the fact that it can be harmful. Let me link that to
network operations.

People forget history. A few years back I had a chat with Aleph1 on the
first days of bugtraq. He reminded me how things are not always black and

Full disclosure, while preferable in my ideology, is not the best solution
for all. One of the reasons bugtraq was created is because vendors did not
care about security, not to mention have a capability to handle security
issues, or avoid them to begin with.

Full disclosure made a lot of progress for us, and while still a useful
tool, with some vendors it has become far more useful to report to them
and let them provide with a solution first.

In the case of routers which are used for infrastructure as well as
critical infrastructure, it is my strong belief that full disclosure is,
at least at face value, a bad idea.

I'd like to think Cisco, which has shown capability in the past, is as
responsible as it should be on these issues. Experience tells me they have
a ways to go yet even if they do have good processes in place with good
people to employ them.

I'd also like to think tier-1 and tier-2 providers get patches first
before such releases. This used to somewhat be the case, last I checked it
no longer is -- for legitimate concerns by Cisco. has this changed?

So, if we don't patch the infrastructure up first, and clients don't know
of problems until they are public "for their own security" (an argument
that holds water only so much) perhaps it is the time for full disclosure
to be considered a viable alternative.

All that aside, this is a rootkit, not a vulnerability. There is no
inherent vulnerability to patch (unless it is very local). There is the
vulnerability of operators who don't so far even consider trojan horses
as a threat, and the fact tools don't exist for them to do something once
they do.


> cheers,
> --dr
> --
> World Security Pros. Cutting Edge Training, Tools, and Techniques
> London, U.K. May 21/22 - 2008 http://cansecwest.com
> pgpkey http://dragos.com/ kyxpgp

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/