Cisco Systems is releasing a free software tool that customers can use to scan their routers for the SYNful Knock malware that has infected at least 200 appliances around the world
The malware was first made public earlier this month, with Cisco and Mandiant, a subsidiary of cyber-security technology vendor FireEye, announcing that 14 routers in four countries (India, Mexico, the Ukraine and the Philippines) were infected. However, a week later, a Cisco partner, cyber-security organization Shadowserver Foundation, announced with the networking giant that the SYNful Knock malware had been detected on almost 200 routers in 31 countries.
Cisco was working with Shadowserver to get a more accurate count on the number of infected systems.
The malware is designed to take over the routers and offer a backdoor access, enabling attackers to install other malware, gain control of Internet traffic, direct users to other sites, steal data and launch attacks against other devices.
The malware looks to compromise the Cisco's IOS software on the routers.
"The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems," FireEye researchers wrote in a post on the company's blog. "This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead."
Cisco responded with an Event Response Page that gave customers information about detecting and remediating such attacks.
"The most recent addition to the toolkit Cisco is providing customers comes after the Cisco PSIRT [Product Security Incident Response Team] worked with internal teams and customers to acquire copies of the malware," William McVey, technical lead at Cisco's Talos Security Intelligence and Research Group, wrote in a post on the company blog. "Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware. The tool works by scanning devices and networks, looking for routers answering the SYNful Knock malware."
McVey noted that the tool "can only detect hosts responding to the malware 'knock' as it is known at a particular point in time. This tool can be used to help detect and triage known compromises of infrastructure, but it cannot establish that a network does not have malware that might have evolved to use a different set of signatures."
Cisco researchers developed the software tool in Python, and it requires Python version 2.7 and the Scapy v2.3.1 packet manipulation library, he wrote. The tool works by injecting custom-crafted packets at the Ethernet layer (Layer 2) of the network, and then monitors and parses the responses. To do this, the tool must be run with root privileges.
The tool can be downloaded from Cisco's Website.
McVey also wrote that running the tool through network address translation (NAT) can hurt its accuracy, causing the software to be unable to detect infected routers.
"Therefore, it is recommended that you run the tool from a network location which does not have NAT between the source system and the destinations being scanned," he wrote. "Additionally, if you scan from a multi-homed device, you may wish to specify which network interface to use for scanning with the '–iface' option. By default, the first network interface associated with a default route is chosen."
A Cisco spokesman told eWEEK earlier this month "these attacks do not exploit vulnerabilities, but instead use compromised credentials or physical access to install malware on network devices. We've shared guidance on how customers can harden their network, and prevent, detect and remediate this type of attack."
McVey warned that networking hardware and the credentials they hold will continue to be high-value targets for cyber-criminals, and urged organizations to apply best practices for network hardening to defend against attacks.
"It remains important to protect [networking devices] accordingly, as any device can be compromised once an attacker gains physical access to a device or the credentials for privileged accounts," he wrote.