Cisco released a tool to scan for SYNful_Knock implants

Talos has developed a Python script for customers to scan their own network to identify routers that may have been compromised by the SYNful_Knock hack.

A couple of weeks ago I published the news of the SYNful_knock security issue involving CISCO routers.

CISCO issued an alert to warn enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images, which is the bootstrap program that initializes the CISCO hardware and boot the software. A few days ago, security experts at Mandiant confirmed to have detected such “implants” in the wild, the researchers found the malicious ROMMON images dubbed “SYNful_Knock,” on 14 Cisco routers located in Ukraine, Philippines, India and Mexico. The Cisco models 1841, 2811, 3825 are affected, it is important to highlight that they are no longer being on the market.

SYNful_Knock Details malicious ROMMON 2

Now Cisco has decided to provide a free tool, dubbed SYNful_knock scanner, to allow administrators to test it their routers was running a bogus firmware implanted through the “SYNful_knock” hack.

To administrators need Python 2.7 and the scapy 2.3.1 packet manipulation library in order to launch the tool.

The Cisco Talos security group analyzed the malicious implants that infected a number of its customers and developed a tool to scan a network searching for compromised routers.

“Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware.” explained William McVey of the Talos Group.

The tool developed by Cisco is able to detect only the currently known version of the malicious implants.

“This tool can only detect hosts responding to the malware ‘knock’ as it is known at a particular point in time … it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.”

To run the tool, you’ll need Python 2.7 and the scapy 2.3.1 packet manipulation library.

Pierluigi Paganini

(Security Affairs – CISCO, SYNful_knock)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.