On This Page

Router Backdoor Analysis

The FLARE Team of Mandiant, A FireEye Company | July 30-31 & August 1-2


Routers play a critical role in the security of any network. With access to a router, an attacker has complete control of the network to manipulate and copy traffic as needed. And as seen with the SYNful Knock router implant this is a serious and imminent threat. Router implants can also be difficult to detect and analyze due to their location within the network. For edge routers positioned outside of network monitoring devices, a direct analysis of the image may be the only option to obtain the critical information to mitigate the compromise.

Students will learn to analyze Cisco IOS images by performing hands-on analysis using a live router running in a lab environment. They will learn how to configure and load a router for analysis. They'll take and analyze core memory dumps. Students will gain an understanding of the Cisco IOS image format to focus on what modifications were made to an image and for what purpose. Students will learn how to effectively dissect an IOS image using IDA Pro for static analysis and how to debug a running router for active analysis.
Students will perform a final lab that involves analyzing backdoored router firmware to determine its functionality.

What You Will Learn:

  • Hands-on Cisco IOS malware analysis
  • Familiarization of the MIPS architecture
  • Format of Cisco IOS image and how the image is loaded by the router
  • How to analyze an IOS image using IDA Pro
  • How to identify modifications to an Cisco IOS image and focus analysis efforts
  • How to obtain and analyze memory dumps of running router
  • How to perform dynamic analysis on a live system

Who Should Take this Course

Few malware analysts have the skills taught in this class, so any malware analyst could benefit, but this course is geared towards intermediate to advanced malware analysts comfortable using IDA Pro.

Student Requirements

  • Experience in malware analysis
  • Experience using IDA Pro
  • Computer programming experience

What Students Should Bring

  • Students will be provided a router for use in the classroom.

  • Students must bring their own laptop with VMware Workstation, Server or Fusion installed (VMware Player is acceptable, but not recommended). Laptops should have at least 20GB of free space.

  • A licensed copy of IDA Pro is required that supports the MIPS architecture. The free version of IDA Pro will not suffice for this class. If purchasing you'll need IDA Professional Edition.

What Students Will Be Provided With

  • Student manual
  • Class handouts
  • Mandiant/FireEye gear


Joshua Homan is currently a member of the FireEye Labs Advanced Reverse Engineering team (FLARE) where he provides reverse engineering support to active incident response engagements and intelligence analysis efforts. Josh contributed to the SYNFul Knock white paper that covers a backdoor for Cisco router firmware. Previous experience includes incident response for a fortune 500 company and a security analyst for the DoD. Josh earned a M.S. in Computer Science from the University of West Florida.

Matthew Williams is a Senior Reverse Engineer on the FireEye Labs Advanced Reverse Engineering Team (FLARE) team. Prior to joining the FLARE team, he was the Principal Malware Analyst and Incident Responder for a Department of Defense (DoD) SOC. After earning his B.S. in Computer Science, Matt also spent time at the National White Collar Crime Center (NW3C) developing and delivering digital forensics training to law enforcement agencies nationwide.

William Ballenthin is a reverse engineer on FireEye's FLARE team. He enjoys researching novel forensic analysis techniques for incident responders and developing tools in Python. Recently William has worked on function similarity metrics, file system drivers, and Android malware. Prior to six years at Mandiant/FireEye, he studied at Columbia University and earned a degree in Computer Science.