UPDATE 9/23/15: VERT has released a script based on FireEye's nping command to report if a host is affected or not. The script is available on the Tripwire VERT GitHub here. For IP360 customers, a variant of this is available as a custom rule. Please contact Tripwire Support or view the TechNote in TCC for details.
I’ve always been a big fan of language. I’m a stickler for proper usage of the oxford comma, I believe that recent additions to the Oxford English Dictionary are contributing to the decay of our society, and I’m a big fan of using proper language to say what you mean. This final point is the one that I’d like to address with this blog post and SYNful Knock has, figuratively, opened the door on the subject. The media has a huge impact on our industry. They fill a critical business role; putting the names of businesses and key players in front of the technical community with every article they write. While some journalists are technical, others rely on the industry to dictate the direction of their articles. I think this is great; journalists are quite skilled at weaving together interesting stories from the information they gather... as long as the information is accurate. It’s easy to forgive a journalist that reports incorrectly on an issue when they’ve been given incorrect information on a subject. It’s much harder to forgive the source of that information, especially when they proclaim to be a knowledgeable in our industry. This is the case with SYNful Knock. SYNful Knock is, according to FireEye, a router implant. It is replacement firmware that contains a backdoor. It would be incorrect to call this a vulnerability. Backdoor or malware, would be better choices than vulnerability. Yet multiple vendors and a number of articles have represented SYNful Knock to be a vulnerability. Let me be clear – implanted routers are a critical issue. This is serious but if you’re going to sound the alarm make sure you’re clear about why you’re sounding it. After all, without understanding the problem, it’s difficult to react adequately. FireEye has done a great job communicating this issue via a pair of blog posts (Part I, Part 2). Shadowserver has scanned the Internet to report on affected hosts. A lot of groups have done a great job of making sure that this is handled properly. We can’t let the ignorance of a few in the industry rushing for the best sound bite to become our voice. We need to make sure that the terminology in the security community remains clear and concise, allowing for accurate communication. So, in an effort to contribute to that positive movement... here’s SYNful Knock in a glance:
- SYNful Knock is a router implant.
- It was implanted via poorly configured routers (weak / default credentials).
- Attackers gain full control of the router and the traffic passing through it.
- At this time, a total of 199 unique IP Addresses have been identified worldwide as affected [via Shadowserver]
- No vulnerabilities appear to have been used in the spread of this implant.