Cisco router is infected with height hidden back door in at least 4 countries



Cisco 路由器在至少 4 个国家被感染高度隐身后门

Researchers have found positive and highly secret attacks, and infection can be used to obtain a permanent foothold and a dozen CISCO routers and back doors in targeted networks.

Synful’s malicious software has been found in four countries, including Ukraine, the Philippines, Mexico, and India’s 14th routers, and the network that may be used to infect other parts. Researchers have announced one of them from security and firm Fireeye on Tuesday morning. The report wrote in the report. The malicious router implantation equipment is loaded and supports 100 modules every time, which can adapt to personal goals. Cisco system officials have confirmed the discovery and released the invasive detection feature code, which can use it to prevent the ongoing attack.

“The impact of finding this implantation on your network is serious and most likely to have other footholds or system damage,” Fireeye researcher’s position on Tuesday. “This back door provides adequate capabilities to spread and damage other hosts and key data for attackers, and use this as a very hidden beach head position.”

The initial infection did not seem to have any loopholes in CISCO devices. Instead, the attacker seems to use the router to use the factory meditation or in some way otherwise it is known. The detailed Fireeye report comes from Cisco to a series of key equipment for Cisco to warn customers a series of attacks that completely hijack the network. Attack, Cisco said that by replacing the effective work “ROM monitor or” talent is more easy to “use the CISCO device for guiding the firmware image.

The Fireeye report does not give the details about the 14 infected routers belonging to and whether the behind -the -scenes host of the attack is sponsored by a spy institution or an organization that is sponsored by the state. In Reuters, Dave Dewalt, CEO of Fireeye in the interview, said, “This feat can only be obtained by a small group of national actors. In any case, there are no doubt equipment that is infected with infected professional development and sufficient infection. Recommend the back door. Researchers wrote:

Implanted summary

The implant is a modified Cisco iOS image, enabling an attacker to composed of different functional modules from the Internet’s anonymous loading. The implant also provides a secret back door password with unlimited access. Each module is sent to the router interface through the HTTP protocol (not HTTPS), and the TCP packet built by ingenuity is used. The packet has non -standard sequences and corresponding confirmation numbers. The module can reflect that it is an independent executable code or provides a hook in the iOS router similar to the back door password function. The back door password provides access to the console and Telnet router.

Known the affected hardware

Cisco 路由器在至少 4 个国家被感染高度隐身后门

Cisco 1841 router

Cisco 2811 router

Cisco 3825 router

Note: We initially identified that other models may be subject to the core function and iOS code library based on similarity.


When the implanted Cisco iOS image is resident and loaded, it keeps it in the environment, even after the system is re -started. However, any further module loads that the attacker will only exist only the easy memory of the router and not be available after the restart. From the perspective of forensic doctors, if you loaded one of the modules in the module, you can analyze one of the core storage files they obtain the router image.


The modification of binary iOS can be subdivided into the following four functions:

Modify the conversion buffer (TLB) read/write attributes

Modify a legal iOS function to call and initialize malware

Cover the legal agreement processing function and malicious code

Rebound the legal functions and string of the string being referenced

Because routers usually run the firewall and many other safety equipment peripherals, the router -based backdoor program makes an ideal hacker tool. Not only can they use them to monitor communication to enter and get out of targeted organizations, they can also infect other sensitive hardware in the same network. This attack has been demonstrated for several years, but this is one of the first researchers that have discovered this compromise that has happened in the wild. It is not surprising that the same advanced rear door router is the existence of Cisco and competitors.

The Post provides several orders, and the administrator can use the device they maintained to be infected. Although the current attack seems to affect the number of unsafe routers, it is not a bad idea, and it is necessary to check their equipment, because, there are few compromise this string. In the early stages of many investigations, unusual researchers should miss important clues or see a larger model with only a small part. The administrator who wants to help his gear can email Synfulknock’s researcher at



Author: ArticleManager