Rootkits are very common in most popular operating systems like Windows, Linux and Unix, but they are rarely seen in embedded OSes. This is because embedded OSes are often closed-source, making the reverse engineering process harder than usual. In real life, once an attacker takes control of a system, he or she needs to maintain access to it to install a rootkit. The rootkit seizes control of the entire system by hiding files, processes and network connections -- allowing unauthorized users to act as system administrators.
This presentation demonstrates that a rootkit can be easily created and deployed for a closed-source OS like Cisco IOS, survive most security measures, and run unnoticed by system administrators. The presentation offers different ways to infect a target IOS, such as run-time patching and image binary patching. To present the binary patching technique from a practical point of view, Futoransky offers a set of Python scripts that can insert a generic rootkit implementation called DIK (Da Ios rootKit) -- and it's done in plain C for IOS. Other techniques including run-time image infection are also covered in detail.