Whitepaper: Writing Cisco IOS Rootkits

Posted on Posted in Paper

This paper is about the work involved in modifying firmware images with the test case focused on Cisco IOS. It will show how it is a common misconception that doing such a thing involves advanced knowledge or nation state level resources. I think that one of the main reasons people think it’s so difficult is because there are no commonly known papers or tutorials that walk the reader through the entire process or give all the resources necessary in order to end the paper with a working rootkit. This paper will change that. This paper will provide sound methodologies, show how to approach the subject, and walk the reader through the entire process while providing the necessary knowledge so that by the end of the paper, if the reader is to follow it completely through, they will have a basic but functional firmware rootkit. Once you understand all of the base ideas and code, and have a working model, it becomes somewhat trivial to expand upon that to the point that you could make your own loader code and then provide dynamic, memory resident only, modules that add to the functionality of the core loader. While this paper will not go that in depth, what it will show is, first, a single byte modification of the IOS image that allows any password but the actual password to allow a log in and, second, how to over write function calls to call your own code, using as an example a trojan of the login process that allows you to specify a secondary, secret, login password. Once this is fully understood, building on this is not difficult and should allow the reader to create their own rootkit for personal research up to and beyond the capabilities of a ―SYNful Knock‖ type rootkit — in about a month or less. It doesn‘t take a nation state, or millions of dollars and high tech think tanks to write something like this. Trojaning firmware such as you are about to see is and has been extremely common in the underground hacking community for decades.