On Sun, 18 May 2008, Joel Jaeggli wrote:
The result from your check can easily be modified, first thing I would have changed is the checker.
That is a normal thing to do with rootkits (return bogus results). Which is part of the reason I suggested that method I did. Short of pulling the flash you're not going to get a fully unbiased view of what's it on it thusly the audit process has some limitations.
A TCPA style boot process would be a better approach. It's certainly not a quick fix since it in general can't be retrofited to existing products.
EuSecWest released this interview about the rootkit with its creator, Sebastian Muniz of Core Security, it also mentions a third party product to detect some of these issues. Thank whatever diety we like for FX's work, as obviously Cisco isn't there yet. http://eusecwest.com/sebastian-muniz-da-ios-rootkit.html
Say you did this from a usb stick--I'd just hide the rootkit in memory.
In the end if you subvert a router, presumably you're doing it for a purpose and given what the device does, that purpose is probably detectable in a well instrumented network.
Subversion may not be the goal. A router is perfect for faking outgoing traffic. This traffic can contain stolen sniffed or relayed data.
If my device is now taking marching orders from a third party then by definition it is subverted, regardless of agency or activity.
sub verte - turn from under