The security of networking gear from Cisco Systems Inc. is once again in the spotlight as a new bot threatens the
networking giant's routers just as another flaw is patched.
Symantec Corp. and the SANS Internet Storm Center are among the sources to confirm the existence of W32.Spybot.ZIF, a network-aware bot that propagates by exploiting various Windows vulnerabilities.
According to Symantec, the bot "opens a back door by contacting an IRC server on the domain scv.unixirc.de, through TCP port 6667." More specifically, it reportedly causes a boundary error when the authentication proxy is processing user authentication credentials.
As a result, a remote attacker can perform a number of functions on a compromised computer, some of which include:
While instances in the wild so far have been few, Symantec classifies the damage and distribution potential as medium. The antivirus vendor has also updated its signatures to prevent users from infection.
Pedro Bueno, a handler for the Internet Storm Center, said that the bot is actively scanning Telnet port 23 and HTTP port 80, scoping out Cisco routers. "Once it finds some, it will report back to the controller, on an IRC server, from a Botnet," he said.
Bueno emphasized that the bot is remotely controlled by the botnet owner, and it is not yet clear if routers will be vulnerable to brute-force attacks as a result. Additionally, he said users that have applied all outstanding Windows patches are unlikely to be affected.
Separately, San Jose, Calif.-based Cisco released a patch for Cisco Management Center for IPS Sensors, its software for configuring network IPS devices.
According to a Cisco advisory, an issue with version 2.1 that generates an error in the Cisco IOS IPS configuration file.
That error, once the configuration file is deployed to Cisco devices using IOS, can be exploited maliciously to bypass certain security restrictions.
However, Danish vulnerability clearinghouse Secunia notes that the security issue only affects signatures that were enabled and configured from the IPS MC GUI and using either the STRING.TCP or STRING.UDP signature micro-engine.
Though Cisco said it has not learned of any public exploit, it has released a software fix for customers running Cisco Management Center for IPS Sensors version 2.1 on Windows and Solaris.