I was talking to Nico Fischbach about the IOS rootkit during PH-Neutral 0x7d8 while drinking some beer... A few after that, he sent me an email with a summary about the rootkit stuff and all the noisy. The mail was sent to some mailing lists like Full Disclose and here is a link to it for those who didn't have the chance to read it.
The email is a good overview about the rootkit PoC and takes into consideration lot's of security measures to detect an attack vector like image binary modification... but what about using the same technique (find strings to find important functions) is applied on-the-fly or by a shellcode?
He mentions that TCL scripts can be easily detected in startup/running configuration but what if the functions that read the startup file and display running processes are manipulated?
I don't want to start enumerating counter measures to the detection measures because this is the same as the virii & AV race where one creates a new way to infect a machine and the other creates a new way to detect it and so on. Besides Nico is right that it is a 'noisy' to perform that kind of rootkit deployment but like said before, what if this is performed using a shellcode via a remote exploit?
Don't get me wrong, I really liked what Nico wrote but just want to say that there is always a way to enhance 'things' to bypass security, right?
Another important thing is to follow Cisco security guidelines... just in case because you never know if some inside user gets pissed off and installs it before leaving the company? :/