“Cisco Systems has provided a tool that allows enterprise users to scan their networks and discover if their routers have been compromised with malicious SYNful Knock implants.
The SYNful Knock Scanner is a Python script that scans networks, looking for hosts that respond to the malware’s specific knock.
“During its operation, the tool injects custom crafted packets at the Ethernet layer (layer 2) and monitors and parses the responses. This functionality requires that the tool be run with root privileges,” Cisco’s William McVey explained, and noted that while the scanner can be used to help detect and triage known compromises of infrastructure, it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.
If a compromised router is found, the scanner will provide instructions on what to do next. Users are can also contact the Cisco Product Security Incident Response Team (PSIRT) for help.
The SYNful Knock router implant was first discovered by FireEye researchers, and other researchers have found instances of compromised routers around the world.
The discovery came roughly a month after Cisco warned about attackers replacing the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image, after gaining administrative or physical access to a Cisco IOS device.
These compromises are not the result of the exploitation of a vulnerability, but of a legitimate feature that allows network admins to install an upgraded ROMMON image on IOS devices for their own purposes.
For more technical details and tool caveats, check out McVey’s blog post.”