Reading through the article @ https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.htm..., I'm lead to believe that the process(s) they overwrite are selected to cause no impact to the device. Relevant excerpt: ### Malware Executable Code Placement To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attackers will examine the current functionality of the router and determine functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment. ### So, if the device in question isn't using OSPF, then the malware may overwrite the code for the OSPF process, allowing them to A) infect the device; B) cause no disruption to the operational state of the device (since, presumably, OSPF isn't going to be turned on); and C) keep the image firmware file size the same, preventing easy detection of the compromise. -- Regards, Jake Mertel Ubiquity Hosting *Web: *https://www.ubiquityhosting.com *Phone (direct): *1-480-478-1510 *Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054 On Tue, Sep 15, 2015 at 11:15 AM, <eric-list@truenet.com> wrote:
I'm sure most have already seen the CVE from Cisco, and I was just reading through the documentation from FireEye:
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.htm l
Question is that it looks to me like they are over-writing the ospf response for "show ip ospf timers lsa-group"? And if that's the case I'm guessing the router would need to have ospf enabled to be able to see the response?
Sincerely,
Eric Tykwinski TrueNet, Inc. P: 610-429-8300 F: 610-429-3222