Cisco Event Response: SYNful Knock Malware

Threat Summary
Last Updated: October 09, 2015

On Tuesday, September 15, Cisco and Mandiant/FireEye publicly disclosed information related to a type of persistent malware named SYNful Knock.

Mandiant/FireEye published two blog posts titled SYNful Knock - A Cisco router implant - Part I and SYNful Knock - A Cisco router implant - Part II. Cisco posted the following blog: SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks.

Cisco will provide additional updates on this Event Response Page as they become available.

What is SYNful Knock?

SYNful Knock is a type of persistent malware that allows an attacker to gain control of a device and compromise its integrity with a modified Cisco IOS Software image. The malware has different modules that are enabled via the HTTP protocol (not HTTPS) and controlled by crafted TCP packets sent to the device.

The Cisco Product Security Incident Response Team (PSIRT) worked with Mandiant and determined that no product vulnerabilities are used in this attack, and that an attacker requires valid administrative credentials or physical access to the device for a successful compromise.

Mandiant’s research focuses on a specific example of malicious software. However, Cisco believes that SYNful Knock is an example of an evolution of attacks against networking devices. Attackers are no longer focusing just on disruption, but on persistent attacks achieved through compromised credentials. A previous security bulletin for our customers about this evolution was posted on August 11, 2015: Evolution in Attacks Against Cisco IOS Software Platforms.

Detecting SYNful Knock

To coincide with the public disclosure of SYNful Knock, Cisco Talos published Snort Rule SID:36054 (in the malware-cnc.rules policy) to help detect devices manifesting related behaviors.

Additional Security Content



Cisco Contacts

If you have additional questions about SYNful Knock, including how Cisco can help with detection and remediation, we recommend speaking with your Cisco account manager.

If you are experiencing technical challenges and require support, we recommend contacting the Cisco Technical Assistance Center (TAC).

If you would like to report a security concern with a Cisco product, please contact Cisco PSIRT.

Questions from members of the press can be sent to