Cisco Event Response: SYNful Knock Malware

Threat Summary

Last Updated, October 09, 2015

On Tuesday, September 15, Cisco and Mandiant/FireEye publicly disclosed information related to a type of persistent malware named SYNful Knock.

Mandiant/FireEye published two blog posts titled SYNful Knock - A Cisco router implant - Part I and SYNful Knock - A Cisco router implant - Part II. Cisco posted the following blog: SYNful Knock: Detecting and Mitigating Cisco IOS Software Attacks.

Cisco will provide additional updates on this Event Response Page as they become available.

What is SYNful Knock?

SYNful Knock is a type of persistent malware that allows an attacker to gain control of a device and compromise its integrity with a modified Cisco IOS Software image. The malware has different modules that are enabled via the HTTP protocol (not HTTPS) and controlled by crafted TCP packets sent to the device.

The Cisco Product Security Incident Response Team (PSIRT) worked with Mandiant and determined that no product vulnerabilities are used in this attack, and that an attacker requires valid administrative credentials or physical access to the device for a successful compromise.

Mandiantís research focuses on a specific example of malicious software. However, Cisco believes that SYNful Knock is an example of an evolution of attacks against networking devices. Attackers are no longer focusing just on disruption, but on persistent attacks achieved through compromised credentials. A previous security bulletin for our customers about this evolution was posted on August 11, 2015: Evolution in Attacks Against Cisco IOS Software Platforms.

Detecting SYNful Knock

To coincide with the public disclosure of SYNful Knock, Cisco Talos published Snort Rule SID:36054 (in the malware-cnc.rules policy) to help detect devices manifesting related behaviors.

Cisco Security Content

The following content has been published specifically to address the SYNful Knock malware. Additional content will be provided as it becomes available.

Blogs and Multimedia

Technical Assessments

Best Practices and Technical Guidance

Product Integrity and Trust

Additional Security Content

Shadowserver Blog Post: SYNful Knock New


Cisco Contacts

If you have additional questions about SYNful Knock, including how Cisco can help with detection and remediation, we recommend speaking with your Cisco account manager.

If you are experiencing technical challenges and require support, we recommend contacting the Cisco Technical Assistance Center (TAC).

If you would like to report a security concern with a Cisco product, please contact Cisco PSIRT.

Questions from members of the press can be sent to


This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

Back to Top