Router Backdoor Analysis

FLARE Team of Mandiant, A FireEye Company | July 22-23 & July 24-25


Routers play a critical role in the security of any network. With access to a router, an attacker has complete control of the network to manipulate and copy traffic as needed. And as seen with the SYNful Knock router implant this is a serious and imminent threat. Router implants can also be difficult to detect and analyze due to their location within the network. For edge routers positioned outside of network monitoring devices, a direct analysis of the image may be the only option to obtain the critical information to mitigate the compromise.

Students will learn to analyze Cisco IOS images by performing hands-on analysis using a live router running in a lab environment. They will learn how to configure and load a router for analysis. They'll take and analyze core memory dumps. Students will gain an understanding of the Cisco IOS image format to focus on what modifications were made to an image and for what purpose. Students will learn how to effectively dissect an IOS image using IDA Pro for static analysis and how to debug a running router for active analysis.
Students will perform a final lab that involves analyzing backdoored router firmware to determine its functionality.

What You Will Learn:

  • Hands-on Cisco IOS malware analysis
  • Familiarization of the MIPS architecture
  • Format of Cisco IOS image and how the image is loaded by the router
  • How to analyze an IOS image using IDA Pro
  • How to identify modifications to an Cisco IOS image and focus analysis efforts
  • How to obtain and analyze memory dumps of running router
  • How to perform dynamic analysis on a live system

Who Should Take this Course

Few malware analysts have the skills taught in this class, so any malware analyst could benefit, but this course is geared towards intermediate to advanced malware analysts comfortable using IDA Pro.

Student Requirements

Experience in malware analysis
Experience using IDA Pro
Computer programming experience

What Students Should Bring

Students will be provided a router for use in the classroom.

Students must bring their own laptop with VMware Workstation, Server or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

A licensed copy of IDA Pro is required that supports the MIPS architecture. The free version of IDA Pro will not suffice for this class. If purchasing you'll need IDA Professional Edition.

What Students Will Be Provided With

Student manual
Class handouts
Mandiant/FireEye gear


Instructors will be determined and bios will be provided as we near the event; however, they will be from the pool of seasoned instructors we use year after year.