Researchers have uncovered active and highly clandestine attacks that have infected more than a dozen Cisco routers with a backdoor that can be used to gain a permanent foothold inside a targeted network.
So far, these infections have hit at least 79 devices in 19 countries, including an ISP in the US that is hosting 25 boxes running the malicious backdoor. The discovery comes from a team of computer scientists who probed the entire IPv4 address space for infected devices. The so-called SYNful Knock router implant is activated after receiving an unusual series of non-compliant network packets, followed by a hardcoded password. By sending only the out-of-sequence TCP packets but not the password to every Internet address and then monitoring the response, the researchers were able to detect wihich ones were infected by the backdoor.
Read more about the backdoor here.