{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T17:27:23Z","timestamp":1754155643172,"version":"3.41.2"},"reference-count":18,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2013,6,7]],"date-time":"2013-06-07T00:00:00Z","timestamp":1370563200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,6,7]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>IOS firmware diversity, the unintended consequence of a complex firmware compilation process, has historically made reliable exploitation of Cisco routers difficult. With approximately 300,000 unique IOS images in existence, a new class of version\u2010agnostic shellcode is needed in order to make the large\u2010scale exploitation of Cisco IOS possible. The purpose of this paper is to show that such attacks are now feasible by demonstrating two different reliable shellcodes that will operate correctly over many Cisco hardware platforms and all known IOS versions.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>The paper examines prior work in the area of Cisco IOS rootkits and constructs a novel IOS version\u2010agnostic rootkit called the interrupt\u2010hijack rootkit.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>As the experimental results show, the techniques proposed in this paper can reliably inject command and control capabilities into arbitrary IOS images in a version\u2010agnostic manner.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>The authors believe that the technique presented in this paper overcomes an important hurdle in the large\u2010scale, reliable rootkit execution within Cisco IOS. Thus, effective host\u2010based defence for such routers is imperative for maintaining the integrity of our global communication infrastructures.<\/jats:p><\/jats:sec>","DOI":"10.1108\/imcs-09-2012-0046","type":"journal-article","created":{"date-parts":[[2013,7,25]],"date-time":"2013-07-25T14:11:54Z","timestamp":1374761514000},"page":"121-138","source":"Crossref","is-referenced-by-count":1,"title":["Revisiting the myth of Cisco IOS diversity: recent advances in reliable shellcode design"],"prefix":"10.1108","volume":"21","author":[{"given":"Ang","family":"Cui","sequence":"first","affiliation":[]},{"given":"Jatin","family":"Kataria","sequence":"additional","affiliation":[]},{"given":"Salvatore J.","family":"Stolfo","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2022012119504324300_b6","unstructured":"APCMAG.com (2009), \u201cNew worm can infect home modem\/routers\u201d, available at: http:\/\/apcmag.com\/Content.aspx?id=3687."},{"key":"key2022012119504324300_b7","unstructured":"Bollapragada, V., Murphy, C. and White, R. (2000), Inside Cisco IOS Software Architecture, Cisco Press, Indianapolis, IN, Demonstration of Hardware Trojans."},{"key":"key2022012119504324300_b8","unstructured":"Cui, A. (2011), available at: www.hacktory.cs.columbia.edu\/ios\u2010rootkit."},{"key":"key2022012119504324300_b10","doi-asserted-by":"crossref","unstructured":"Cui, A. and Stolfo, S.J. (2010a), \u201cA quantitative analysis of the insecurity of embedded network devices: results of a wide\u2010area scan\u201d, in Gates, C., Franz, M. and McDermott, J.P. (Eds), ACSAC, ACM, New York, NY, pp. 97\u2010106.","DOI":"10.1145\/1920261.1920276"},{"key":"key2022012119504324300_b9","unstructured":"Cui, A. and Stolfo, S.J. (2010b), \u201cGeneric rootkit detection for embedded devices using parasitic embedded machines\u201d, Technical Report, Department of Computer Science, Columbia University, New York, NY."},{"key":"key2022012119504324300_b11","unstructured":"Davis, A. (2007), \u201cCisco IOS FTP server remote exploit\u201d, available at: www.securityfocus.com\/archive\/1\/494868."},{"key":"key2022012119504324300_b5","unstructured":"Dronebl.org (2008), Network Bluepill, available at: www.dronebl.org\/blog\/8."},{"key":"key2022012119504324300_b12","unstructured":"Felix \u201cFX\u201d Linder (2003), \u201cCisco vulnerabilities\u201d, BlackHat USA."},{"key":"key2022012119504324300_b13","unstructured":"Felix \u201cFX\u201d Linder (2009), \u201cCisco IOS router exploitation\u201d, BlackHat USA."},{"key":"key2022012119504324300_b2","unstructured":"FRAK (2012), Firmware Reverse Analysis Konsole, available at: http:\/\/frak.redballoonsecurity.com."},{"key":"key2022012119504324300_b18","unstructured":"Futoransky, A. (2008), \u201cViral infection in Cisco IOS\u201d, BlackHat USA."},{"key":"key2022012119504324300_b1","unstructured":"kaiten.c IRC DDOS Bot (2001), available at: http:\/\/packetstormsecurity.nl\/irc\/kaiten.c."},{"key":"key2022012119504324300_b14","unstructured":"Lynn, M. (2005a), \u201cCisco IOS shellcode\u201d, BlackHat USA."},{"key":"key2022012119504324300_b3","unstructured":"Lynn, M. (2005b), \u201cInjunction against Michael Lynn\u201d, available at: www.infowarrior.org\/users\/rforno\/lynn\u2010cisco.pdf."},{"key":"key2022012119504324300_b15","unstructured":"Muniz, S. (2008), \u201cKilling the myth of Cisco IOS rootkits: DIK\u201d, EUSecWest."},{"key":"key2022012119504324300_b16","unstructured":"Muniz, S. and Ortega, A. (2011), \u201cFuzzing and debugging Cisco IOS\u201d, BlackHat Europe."},{"key":"key2022012119504324300_b4","unstructured":"nicenamecrew.com (2008), \u201cThe end of your internet: malware for home routers\u201d (2008), available at: http:\/\/data.nicenamecrew.com\/papers\/malwareforrouters\/paper.txt."},{"key":"key2022012119504324300_b17","unstructured":"Uppal, V. (2007), \u201cCisco IOS Bind shellcode v1.0\u201d, available at: www.exploit\u2010db.com\/exploits\/13292\/."}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/IMCS-09-2012-0046","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-09-2012-0046\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-09-2012-0046\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:50:47Z","timestamp":1753393847000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/21\/2\/121-138\/180528"}},"subtitle":[],"editor":[{"given":"Veniamin","family":"Ginodman","sequence":"first","affiliation":[]}],"short-title":[],"issued":{"date-parts":[[2013,6,7]]},"references-count":18,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2013,6,7]]}},"alternative-id":["10.1108\/IMCS-09-2012-0046"],"URL":"https:\/\/doi.org\/10.1108\/imcs-09-2012-0046","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2013,6,7]]}}}