Re: Synful Knock questions...

At 11:42 25/09/2015 -0700, Jake Mertel wrote: Looks like Cisco's Talos just released a tool to scan your network for indications of the SYNful Knock malware. Details @ http://talosintel.com/scanner/ . More details here: http://blogs.cisco.com/security/talos/synful-scanner -Hank --

Re: Synful Knock questions...

Looks like Cisco's Talos just released a tool to scan your network for indications of the SYNful Knock malware. Details @ http://talosintel.com/scanner/ . -- Regards, Jake Mertel Ubiquity Hosting *Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High

Re: Synful Knock questions...

On 16 Sep 2015, at 11:51, Paul Ferguson wrote: Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. And must have access to the box in order to utilize said credentials - which of course, there are BCPs intended to prevent same.

Re: Synful Knock questions...

Roland Dobbins wrote on 9/16/2015 1:27 AM: On 16 Sep 2015, at 11:51, Paul Ferguson wrote: Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. And must have access to the box in order to utilize said credentials - which of course, there

Re: Synful Knock questions...

It's unlikely the routers that got exploited were the initial entry point of the attack. The chain of events can look like this: spearfishing email with exploit laden attachment end user opens attachment, internal windows endpoint compromised malware makes outbound connection to command &

Re: Synful Knock questions...

HD Moore just posted the results of a full-Internet ZMap scan. I didn't realize that it was remotely detectable. 79 hosts total in 19 countries. https://zmap.io/synful/ Royce

RE: Re: Synful Knock questions...

@nanog.org Subject: [EXTERNAL]Re: Synful Knock questions... . . . There's a big used equipment market. Even in the new equipment market, these devices could be intercepted prior to delivery.

Re: Synful Knock questions...

On 16 Sep 2015, at 21:00, Michael Douglas wrote: It's unlikely the routers that got exploited were the initial entry point of the attack. I understand all that, thanks. At this point when they start messing around with routers, you're going to see activity coming from the intended internal

Re: Synful Knock questions...

Follow-up to my own post, Fireeye has code on github: https://github.com/fireeye/synfulknock On 2015-09-16 10:27 AM, Stephen Fulton wrote: Interesting, anyone have more details on how to construct the scan using something like nmap? -- Stephen On 2015-09-16 9:20 AM, Royce Williams wrote: HD

Re: Synful Knock questions...

Interesting, anyone have more details on how to construct the scan using something like nmap? -- Stephen On 2015-09-16 9:20 AM, Royce Williams wrote: HD Moore just posted the results of a full-Internet ZMap scan. I didn't realize that it was remotely detectable. 79 hosts total in 19

Re: Synful Knock questions...

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Please bear in mind hat the attacker *must* acquire credentials to access the box before exploitation. Please discuss liberally. - - ferg' On 9/15/2015 1:46 PM, Stephen Satchell wrote: > On 09/15/2015 11:40 AM, Jake Mertel wrote: >> C) keep the

Re: Synful Knock questions...

I always perform the md5 and/or SHA verification of images on flash against the Cisco website. This is mainly to ensure a good transfer from TFTP. While I've never had a bad TFTP transfer (as in the transfer said successful, but files were corrupted), I have encountered images that were

Re: Synful Knock questions...

Reading through the article @ https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html, I'm lead to believe that the process(s) they overwrite are selected to cause no impact to the device. Relevant excerpt: ### Malware Executable Code Placement To prevent the size of the

Re: Synful Knock questions...

Wouldn't the calculated MD5/SHA sum for the IOS file change once it's modified (irrespective of staying the same size)? I'd be interested to see if one of these backdoors would pass the IOS verify command or not. Even if the backdoor changed the verify output; copying the IOS file off the router

Re: Synful Knock questions...

Indeed -- While there are methods that can be used to "pack" a file so that it collides with a desirable checksum, that would be nearly impossible to do in this scenario. I suspect that you're right in all regards -- that taking the image file and checking it on another host would show obvious

Re: Synful Knock questions...

> On Sep 15, 2015, at 2:50 PM, Michael Douglas wrote: > > Wouldn't the calculated MD5/SHA sum for the IOS file change once it's > modified (irrespective of staying the same size)? I'd be interested to see > if one of these backdoors would pass the IOS verify command

Re: Synful Knock questions...

Does anyone have a sample of a backdoored IOS image? On Tue, Sep 15, 2015 at 2:15 PM, wrote: > I'm sure most have already seen the CVE from Cisco, and I was just reading > through the documentation from FireEye: > >

Re: Synful Knock questions...

On Tue, 15 Sep 2015, Jake Mertel wrote: > Reading through the article @ > https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html, > I'm lead to believe that the process(s) they overwrite are selected to > cause no impact to the device. Relevant excerpt: > > ### > Malware

Re: Synful Knock questions...

On Tue, 15 Sep 2015 14:35:44 -0400, Michael Douglas wrote: Does anyone have a sample of a backdoored IOS image? The IOS image isn't what gets modified. ROMMON is altered to patch IOS after decompression before passing control to it. I don't know WTF they're

Re: Synful Knock questions...

On Tue, 15 Sep 2015 11:54:30 -0700, Jake Mertel said: > Indeed -- While there are methods that can be used to "pack" a file so that > it collides with a desirable checksum, that would be nearly impossible to > do in this scenario. Small clarification here. There are known methods to easily

Re: Synful Knock questions...

On 09/15/2015 11:40 AM, Jake Mertel wrote: C) keep the image firmware file size the same, preventing easy detection of the compromise. Hmmm...time to automate the downloading and checksumming of the IOS images in my router. Hey, Expect, I'm looking at YOU. Wait a minute...doesn't Cisco

Re: Synful Knock questions...

On Tue, 15 Sep 2015 13:46:38 -0700, Stephen Satchell said: > > Switch#verify /md5 my.installed.IOS.image.bin > > The output is a bunch of dots (for a switch) followed by an output line > that ends "= xxx" with the x's > replaced with the MD5 hash. You *do*

Re: Synful Knock questions...

Well, It would be pointless to do, If the flash version and the running executable already replaced that function to return the right MD5 as from the CCO repository... But yes, scheduling the downloading the firmware and doing a SHA512 from your known good source (aka the

Re: Synful Knock questions...

My apologies, Valdis is indeed correct, I did not mean to suggest that it would be possible to make modifications in such a way that would result in an identical checksum. Sorry for the confusion and extra noise. -- Regards, Jake Mertel Ubiquity Hosting *Web: