Cisco’s security response team has published a must-read document confirming that stealthy malware can be loaded on the software used on the vast majority of its routers and network switches.

It is possible that an attacker could insert malicious code into a Cisco IOS software image and load it onto a Cisco device that supports that image. This attack scenario could occur on any device that uses a form of software, given a proper set of circumstances.

The company’s confirmation follows a technical discussion by Core Security researcher Sebastian Muniz of “Da IOS Rootkit,” which is basically a binary modification to the IOS image downloaded from the device.

The main feature of a Da IOS Rootkit is the universal password. Every call to the different password validation routines grant access to the user if unique rootkit password is specified. This is what will be in the public release. Other features such as hiding files, processes and connections will not be included. The core of the rootkit code is written in plain C instead of assembly. It doesn’t persist through upgrades yet but future versions probably.