Public rootkit implementations for Cisco IOS have not been seen and system administrators tend to think that this is not possible or that even being possible, a generic method could not be created and that a skilled attacker is needed to target them. We will present DIK (Da Ios rootKit), a real multi-architecture rootkit to show that real threat exist and that advanced IOS forensics are probably not enought to detect it.
No public IOS rootkit implementation has been publicly presented before and the techniques employed here are generic and could be easiy usd to implement other closed-source OS rootkits.
In response, Cisco has released an updated version of its Cisco Security Response: Rootkits on Cisco IOS Devices document.
Abstract from the document:
Cisco has analyzed the available information and recommends following industry best-practices to improve the security of all network devices. Specific recommendations are available in the Additional Information section of this Security Response.
Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports. We would like to thank Mr. Sebastian Muniz and Core Security Technologies for working with us towards the goal of keeping Cisco networks and the Internet, as a whole, secure.
Well, that's a very positive attitude. So don't forget to harden your routers and not only your servers.