Update: Cisco issues free scanner for SYNful Knock

After the revelation that 200 Cisco routers have been compromised with the SYNful Knock implant, Cisco has released a free scanner for customers.

Cisco have released help for customers with SYNful Knock (pic source: wikimedia)
Cisco have released help for customers with SYNful Knock (pic source: wikimedia)

A scanner has been released to help combat a new kind of malware, previously thought theoretical.

In response to the revelations of the SYNful Knock bug being found on hundreds of Cisco routers around the world, Cisco has released a tool for scanning for the malware.

After Cisco acquired copies of the malware and worked with various internal teams, Cisco's Talos Security Intelligence and Research Group  produced a scanner for customers. The scanner allows Cisco customers to examine their own networks and devices, seeing if any of those answer to SYNful Knock.

Cisco explained the scanner in a blog post added the disclaimer that: “This tool can only detect hosts responding to the malware ‘knock' as it is known at a particular point in time. This tool can be used to help detect and triage known compromises of infrastructure, but it cannot establish that a network does not have malware that might have evolved to use a different set of signatures.”

SYNful Knock was discovered early last week by FireEye's Mandiant Team, which found the malware on 14 Cisco routers in India, Mexico, The Philippines and Ukraine. Nearly a week later, Cisco, working with the Shadowserver Foundation, a volunteer organisation, discovered that hundreds of Cisco routers had been infected with SYNful Knock, most of those being in the US.

SYNful Knock allows attackers to gain control of routers. In a recent report on these implants, researchers noted that, "The implant uses techniques that make it very difficult to detect. A clandestine modification of the router's firmware image can be utilised to maintain perpetual presence to an environment." Even after the infected router undergoes a system reboot, the implant persists within the router although modules that may have been loaded would be wiped.

Security blogger, Bruce Schneier wrote at the time that, “this is very much the sort of attack you'd expect from a government eavesdropping agency”

Cisco has attempted to allay fears and is eager to tell users that “this malware attack is not a vulnerability, as it had to be installed by someone using valid credentials or who had physical access to the device” as Yvonne Malgren, a spokesperson for Cisco told SCmagazineUK.com

Tony Lee, of FireEye's Mandiant Team spoke to SC on discovery of SYNful knock on the routers, “This attack was largely thought to be theoretical in nature. Now we have a real live example This may start whole new chapter in attack and defence.”

Writing with Bill Hau, another member of the Mandiant team, Lee authored a report on the discovery of this new kind of malware. In the report, Lee and Hau outline the significance of this threat. They say that SYNful Knock bypasses “the belief that we have dug the foundations to these large stone walls deep enough so we don't need to worry about what happens below ground. Any attack below the ground surface was deemed mostly theoretical in nature.”

They add, “as no one is really monitoring below the castle walls, we hope to reinforce the need for governments and organisations to understand that the barbarians may have already dug under the gates and they are already inside the castle.”

The scanner is offered for free and can be found here.

Cisco commented on the new scanner, saying "The SYNful Knock scanning tool is the most recent addition to the toolkit that Cisco is providing customers to manage this new type of threat. We have seen a significant number of downloads, and if a customer is affected, the tool provides guidance on how to contact Cisco. Requests for support as a result of customers detecting this malware have been minimal. Based on the findings from partnering with Shadowserver last week, Cisco is reaching out to potentially affected customers."