News Stay informed about the latest enterprise technology news and product updates.

New bot may threaten Cisco routers

The network-aware bot spreads via unpatched Windows flaws and can scope out Cisco routers running vulnerable Telnet or HTTP servers. Separately, the networking giant has fixed a problem with its IPS configuration software.

The security of networking gear from Cisco Systems Inc. is once again in the spotlight as a new bot threatens the networking giant's routers just as another flaw is patched.

Symantec Corp. and the SANS Internet Storm Center are among the sources to confirm the existence of W32.Spybot.ZIF, a network-aware bot that propagates by exploiting various Windows vulnerabilities.

According to Symantec, the bot "opens a back door by contacting an IRC server on the domain, through TCP port 6667." More specifically, it reportedly causes a boundary error when the authentication proxy is processing user authentication credentials.

As a result, a remote attacker can perform a number of functions on a compromised computer, some of which include:

  • Scan a specified network range for Cisco routers that may have vulnerable Telnet or HTTP servers running and report results back to IRC.
  • Start and stop threads and processes
  • Retrieve clipboard data
  • Steal passwords from protected storage
  • Perform a denial of service (DoS) attack

    While instances in the wild so far have been few, Symantec classifies the damage and distribution potential as medium. The antivirus vendor has also updated its signatures to prevent users from infection.

    Pedro Bueno, a handler for the Internet Storm Center, said that the bot is actively scanning Telnet port 23 and HTTP port 80, scoping out Cisco routers. "Once it finds some, it will report back to the controller, on an IRC server, from a Botnet," he said.

    Bueno emphasized that the bot is remotely controlled by the botnet owner, and it is not yet clear if routers will be vulnerable to brute-force attacks as a result. Additionally, he said users that have applied all outstanding Windows patches are unlikely to be affected.

    More on this topic

    Showdowns and standoffs: Another ho-hum week for Cisco

    Securing Cisco Routers

    Routing & Switching tips

    Separately, San Jose, Calif.-based Cisco released a patch for Cisco Management Center for IPS Sensors, its software for configuring network IPS devices.

    According to a Cisco advisory, an issue with version 2.1 that generates an error in the Cisco IOS IPS configuration file.

    That error, once the configuration file is deployed to Cisco devices using IOS, can be exploited maliciously to bypass certain security restrictions.

    However, Danish vulnerability clearinghouse Secunia notes that the security issue only affects signatures that were enabled and configured from the IPS MC GUI and using either the STRING.TCP or STRING.UDP signature micro-engine.

    Though Cisco said it has not learned of any public exploit, it has released a software fix for customers running Cisco Management Center for IPS Sensors version 2.1 on Windows and Solaris.

  • Dig Deeper on Network Security Monitoring and Analysis

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.