SCF Advanced Search


Members
Stats
  • Total Posts: 31892
  • Total Topics: 9600
  • Online Today: 1406
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)











Author Topic: Cisco released a Free tool for testing “SYNful knock” vulnerability in routers  (Read 1088 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7456
  • KARMA: 312
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


Cisco's moved on the “SYNful knock” vulnerability with a free tool letting admins test their routers for fudged firmware.

The vulnerability emerged in August: http://tools.cisco.com/security/center/viewAlert.x?alertId=40411 , when The Borg warned that its ROMMON firmware had been reverse-engineered. That meant a privileged user could flash routers with compromised versions.

Within a month, it was spotted in the wild: http://www.cisco.com/web/about/security/intelligence/integrity-assurance.html

The vulnerability got the name “SYNful knock” because the currently-known version of the malware givers a characteristic response to SYN packets.

That's let Cisco's security team, working with internal and external customers, to get copies of the malware and analyse its behaviour.

William McVey of the company's Talos Group writes: “Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware”.

He warns that the scanner only works on the currently-known malware: “This tool can only detect hosts responding to the malware 'knock' as it is known at a particular point in time … it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.”

To run the tool, you'll need Python 2.7 and the scapy 2.3.1 packet manipulation library.

McVey's post includes guidelines for running the tool, which can be downloaded here: http://talosintel.com/scanner/

(ElReg)

Samker's Computer Forum - SCforum.info

Sponsored Links:




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising