Cisco tool for SYNful Knock

It appears that SYNful Knock is still a matter of interest to serious computing professionals as I am getting hits referred from Google on my website searching for information on it.

Cisco, via their Talos Intel group, have released a tool to scan routers for the presence of SYNful Knock.

The tool will only scan for signatures of a specific instance of SYNful Knock.

From the Talos download page :-

” This tool can only detect hosts responding to the malware “knock” as it is known at a particular point in time”

As far as I know, the tool only works on Linux.

You will require tcpdump.

You will require Scapy from SecDev.

You will require Python 2.7.

You could use Docker .

Please download the tool HERE.SYNful knock

PLEASE READ THE README.TXT FILE WHICH ACCOMPANIES THE TOOL.

Good luck.

 

Other links

http://www.theregister.co.uk/2015/09/25/cisco_tool_ids_malware_in_the_firmware/

=================================================================

From the README.txt which accompanies the .tgz

=================================================================

synknockscan
============

Scans devices and networks for routers answering the SYNful Knock malware.

Note that this tool can only detect hosts responding the malware “knock”
as it is known at a particular point in time. This tool can be used to
help detect and triage known compromises of infrastructure, but it can
not establish that your network does not have malware that might have
evolved to use a different set of signatures.

Installation
————
The scan tool depends on python 2.7 along with the
`scapy` <http://www.secdev.org/projects/scapy/> packet manipulation
library. Scapy has minimal system dependencies, but it does
perform better when the `tcpdump` utility is installed.

Scapy version 2.3.1 was used and tested during development. Older versions
(such as those found in distribution’s package repositories) may also work.

### Debian / Ubuntu

$ sudo apt-get install python2.7 tcpdump
$ sudo pip install scapy==2.3.1

The tool works fine within a virtualenv as well.

### Docker
The script has been tested to run well within a docker (http://docker.io)
container. Included in the source distribution is a Dockerfile for building
your own container. You will also be able to run the script straight off the
docker image registery.

The image utilizes the scan script as the container entrypoint, meaning
invocation is as simple as:

# docker run –rm synknockscan -v TARGETS

The tool is unable to receive a target list over standard input when
launched through docker, so if you have a list of targets, specify the
list as a docker volume:

# docker run –rm -v PATH_OF_TARGETLIST:/tmp/targets synknockscan -v –scan-file /tmp/targets

Usage
—–
The tool uses raw packets injected on the interface and reads custom
crafted packets. Consequently, it will likely need to be run as `root`.

Provide a list of networks (either individual IPs or netbocks with
CIDR network prefixe lengths) on the commandline as parameters, in a
whitespace separated file (specified via –scan-file option).

The -v option can be used to enable more detailed status updates. Without -v,
only hosts that are responding to the SYNful Knock will be emitted to stdout.
With -v, more detail is provided on how the replies failed to match the knock
handshake. It is possible that when running with -v, you will see packets that
are unrelated to the SYNful Knock scan being processed. This is not a cause for
alarm. These packets are likely just background network traffic that were
analyzed by the response listener.

If you are scanning from a multi-homed host, the packets should originate from the
interface associated with the first default route. If you’d like to specify an
alternate interface to utilize, use –iface.

Reference
———
http://blogs.cisco.com/talos/synful-scanner
http://tools.cisco.com/security/center/viewAlert.x?alertId=40411
http://blogs.cisco.com/security/synful-knock
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html

PSIRT Notification
——————
Cisco Product Security Incident Response Team (PSIRT)

The Cisco Product Security Incident Response Team is a dedicated, global
team that manages the receipt, investigation, and public reporting
of security vulnerability information related to Cisco products and
networks. Cisco PSIRT provides security advisories, security responses,
and security notices. The PSIRT team is available around the clock
to identify possible security issues in Cisco products and networks.

For immediate emergency assistance, contact the 24 hour a day PSIRT
dedicated hotline at 877 228-7302 or 408 525-6532. For emergency
assistance on this issue via e-mail, contact psirt@cisco.com and
reference SYNful Knock in the Subject line.

To receive non-emergency assistance or report suspected security-related
issues with Cisco products, contact psirt@cisco.com.

11 comments for “Cisco tool for SYNful Knock

  1. Mercy
    September 30, 2015 at 10:58 pm

    I am interested on the statement “SYNful Knock scanner can be used to help detect and triage known compromises of infrastructure. Upon successful detection of the “knock” on your network, the Synful Knock Scanner will provide further instructions.” .WHAT is the difference between Malware Protection Life and Synful Knock scanner?

    • moses
      September 30, 2015 at 11:19 pm

      The SYNful Knock scanner is a malware specific scanner.

      I am not sure what “Malware Protection Life” is.

  2. Mercy
    October 1, 2015 at 1:09 am

    It seems that Malware Protection Live is used to beat spy that log your keystrokes, steal your passwords, harvest your address book, observe where you go on the Internet, report sensitive data to distant servers, or even wipe or encrypt your data.
    source – https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    • moses
      October 1, 2015 at 1:53 am

      The link you provided does not mention any product called “Malware Protection Live”.

      The link only provides a standard description of different types of malware found on PCs running Windows and some company marketing literature.

      From what I can see, it is just about a company trying to sell products which compete in the same space as Kaspersky, Symantec, Trend Micro, etc.

      The SYNful Knock scanner only looks for one specific malicious “program” – SYNful Knock, and nothing else.

  3. Mercy
    October 1, 2015 at 1:46 pm

    How does SYNful knock affect computer system?
    I intend to remove the Malware Protection Live in my computer
    source- http://xxxxxxxxxxxxxxxxxxxxxxxxxx

    • moses
      October 1, 2015 at 2:21 pm

      SYNful Knock does not work on PCs.

      I think I am beginning to understand your questions on Malware Protection Live.

      I am guessing that you have got it installed on your computer and you did not know what it is, right?

      I have removed the link you posted because I do not consider it useful, sorry. 🙁

      If you read the link, it merely says two things:-

      1/ malware is useless
      2/ use Malwarebytes which I know I have installed on your laptop.

      Pls do run Malwarebytes regularly and do not install software which you do not know what it is.

      If you wish to post computing links try to post links from reputable sites like Microsoft, HP, Dell, Symantec, etc.

      You will notice that virtually all the technical links I have posted refer to quality sites, e.g. Cisco, News Ltd, ArsTechnica, etc.

      This enhances the information I post to my readers.

      Thus in the case of Malware Protection Live, you could perhaps post something from Symantec or Trend Micro.

  4. Mercy
    October 2, 2015 at 12:49 am

    Thanks for your explanation and your help. Youtube provide the tips to uninstall the Malware Protection life 🙂 I don’t know why it installed and appeared at my taskbar 🙁
    I am scared by all the negative information by different links.

  5. Mercy
    October 2, 2015 at 2:24 pm

    For my opinion, some software exists, opposite parties will merge.The opposite parties will proposed some tips for removal of the software by using their new software. IT world is full of unseen competition.

    • moses
      October 2, 2015 at 2:31 pm

      “…IT world is full of unseen competition…”

      Welcome to l33t computing. 🙂

  6. Mercy
    October 2, 2015 at 2:58 pm

    A joke about 133t computing:

    “Dude, I downloaded a 10GB file in 10 minutes with my 100/100 line.”
    “Dude, that’s so 1337”
    “Yeah, and I hacked into my college network and changed my grades into A and Bs.”
    “OMG, you’re 5up3r 1337 h4x0r.”

    5up3r=super elite/ really smart Techie
    1337=corruption of elite
    h4x0r=hacker

    May be Moses can do more research on 133t computing. It is a different world for what we can see. The more it comes, we get lost in the forest and can not find the way out.

    • moses
      October 2, 2015 at 3:10 pm

      “..we get lost in the forest and can not find the way out…”

      Most phones have GPS now 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *