Maybe you already read about the Cisco IOS Rootkit which was developed by Sebastian Muniz of CORE Security. EUSecWest did an interview with him about his proof of concept Rootkit.

Cisco also responded with a Security Response about the IOS Rootkit, which mainly says that no new vulnerability has been found and is recommending to follow the best-practices to harden the network devices. A Cisco guide on how to harden their network devices can be found here. To be able to install the Rootkit the attacker needs to have privilege access to the device so hardening the devices should be sufficient to avoid the installation of an IOS Rootkit.

Nicolas Fischbach from Colt Telecom wrote a review at the Cisco Mailinglist [c-nsp] which can be found here. The whole issue can be summarized with a part of his post:

“So what’s the impact today ? Topo’s proof of concept doesn’t bypass ACLs (rACLs,VTY ACLs), AAA, etc [yet], requires enable rights, a new image and a reload (or enable only if you do gdb-on-the-fly patching). In summary it’s “noisy” and unless you bought the router on an auction site and/or download IOS from “alternative” sources) you should notice (or probably deserve to get owned 🙂“