Cisco released a tool to scan for SYNful_Knock implants

Talos has developed a Python script for customers to scan their own network to identify routers that may have been compromised by the SYNful_Knock hack.

A couple of weeks ago I published the news of the SYNful_knock security issue involving CISCO routers.

CISCO issued an alert to warn enterprise customers about a spike in attacks in which hackers use valid admin credentials on IOS devices to install bogus ROMMON images, which is the bootstrap program that initializes the CISCO hardware and boot the software. A few days ago, security experts at Mandiant confirmed to have detected such “implants” in the wild, the researchers found the malicious ROMMON images dubbed “SYNful_Knock,” on 14 Cisco routers located in Ukraine, Philippines, India and Mexico. The Cisco models 1841, 2811, 3825 are affected, it is important to highlight that they are no longer being on the market.

Now Cisco has decided to provide a free tool, dubbed SYNful_knock scanner, to allow administrators to test it their routers was running a bogus firmware implanted through the “SYNful_knock” hack.

To administrators need Python 2.7 and the scapy 2.3.1 packet manipulation library in order to launch the tool.

The Cisco Talos security group analyzed the malicious implants that infected a number of its customers and developed a tool to scan a network searching for compromised routers.

“Talos has now developed a tool for customers to scan their own network to identify routers that may have been compromised by this specific malware.” explained William McVey of the Talos Group.  

The tool developed by Cisco is able to detect only the currently known version of the malicious implants.

“This tool can only detect hosts responding to the malware ‘knock’ as it is known at a particular point in time … it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.”

To run the tool, you’ll need Python 2.7 and the scapy 2.3.1 packet manipulation library.

Pierluigi Paganini

(Security Affairs – CISCO, SYNful_knock)