The highly clandestine attacks hitting Cisco Systems routers are much more active than previously reported. Infections have hit at least 79 devices in 19 countries, including an ISP in the US that's hosting 25 boxes running the malicious backdoor.

That discovery comes from a team of computer scientists who probed the entire IPv4 address space for infected devices. As Ars reported Tuesday, the so-called SYNful Knock router implant is activated after receiving an unusual series of non-compliant network packets followed by a hardcoded password. By sending only the out-of-sequence TCP packets but not the password to every Internet address and then monitoring the response, the researchers were able to detect which ones were infected by the backdoor.

The implant is fingerprintable and we are able to scan for infected servers without invoking the vulnerability by modifying ZMap to send the specially crafted TCP SYN packets. We completed four scans of the public IPv4 address space on September 15, 2015 and found 79 hosts displaying behavior consistent with the SYNful Knock implant. These routers belong to a range of institutions in 19 countries. We have found no immediate pattern in the organizations affected, but note a surprising number of routers in Africa and Asia (compared to IP allocations). We note that the 25 hosts in the United States belong to a single Internet service provider on the East Coast, and that the hosts in both Germany and Lebanon belong to a single satellite provider that provides coverage to Africa.

Security firm FireEye surprised the security world on Tuesday when it first reported the active outbreak of SYNful Knock. The implant is precisely the same size as the legitimate Cisco router image, and it's loaded each time the router is restarted. It supports up to 100 modules that attackers can tailor to the specific target. FireEye found it on 14 servers in India, Mexico, the Philippines, and Ukraine. The finding was significant, because it showed an attack that had long been theorized was in fact being actively used. The new research shows it's being used much more widely, and it's been found in countries including the US, Canada, the UK, Germany, and China. The researchers wrote:

The results are summarized in the graph at the top of this post. They came as researchers from FireEye posted a detailed blog post explaining how to detect and remove SYNful Knock infections.

The researchers conducted four scans on Tuesday using the Internet scanner known as ZMap. After configuring it to send each address packets with the number set to 0xC123D and the acknowledgement number set to zero, they watched for responses where the sequence number is set to zero, the urgent flag is unset, and the urgent pointer is set to 0x0001.

"We do not respond with an ACK packet, and instead sent a RST, closing the connection. This does not exploit the vulnerability, attempt a login, or complete the handshake," the researchers said. "However, this does allow us to discern implanted from non-implanted routers, since a non-implanted router should not set the urgent pointer, and has only a 1 in 232 chance of selecting zero as the sequence number."

What is clear now is the SYNful Knock is a professionally developed and fully featured backdoor device that almost certainly is actively infecting many more devices than previously seen by FireEye. It's plausible some of the devices the scientists witnessed were honeypots, that is, routers intentionally infected by whitehat researchers who are looking for clues about who's behind the attacks and how they operate. Still, it seems unlikely that all 79 of the devices are decoys. Ars has asked FireEye officials to comment on this possibility and will update this post if we receive a response.

As FireEye reported Tuesday, there's no evidence SYNful Knock is exploiting a vulnerability in any Cisco device. Rather, the unknown attackers behind the implant—who FireEye executives say are probably state-sponsored—appear to be taking advantage of routers that use passwords that are factory default or are somehow otherwise known. The researchers said it wouldn't be surprising if networking gear from other manufacturers are being infected with a similar backdoor. So far, there's no evidence of infections hitting devices from other manufacturers, but with additional Internet scans, researchers may find data proving that theory correct.