Router Backdoor Analysis

With access to a router, an attacker can control the network and manipulate and copy traffic as needed. Router implants such as SYNful Knock, a serious and imminent threat, can be difficult to detect and analyze due to their location within the network. A direct analysis of the router image may be critical to mitigate a router-based attack, especially for edge routers positioned outside of network monitoring devices.

This course explains the purpose of the Cisco IOS image format, as well as how to modify the image. It describes how to effectively dissect an IOS image using IDA Pro for static analysis and how to debug a running router for active analysis. Course topics include how to configure and load a router for analysis, and take and analyze core memory dumps.

Learners will perform hands-on analyses of Cisco IOS images using a live router running in a lab environment. Hands-on labs include an opportunity to analyze and determine the function of backdoored router firmware.

Learning Objectives

After completing this course, learners should be able to:

  • Conduct hands-on Cisco IOS malware analysis
  • Understand the MIPS architecture
  • Understand Cisco IOS image formatting and how routers load the images
  • Analyze an IOS image using IDA Pro
  • Identify modifications to a Cisco IOS image and focus analysis efforts
  • Obtain and analyze memory dumps of a running router
  • Perform dynamic analysis on a live system

Who Should Attend

Intermediate-to-advanced malware analysts, information security professionals, forensic investigators and others who need to understand how to overcome difficult and complex challenges in malware analysis.


Intermediate to advanced malware analysis skills, computer programming experience and comfort with IDA Pro.

What to Bring

Laptop with VMware Workstation, Server or Fusion (VMware Player is acceptable, but not recommended), and at least 20 GB of free HDD space. A licensed copy of IDA Pro that supports the MIPS architecture is required; the free version of IDA Pro will not suffice. If purchasing, the IDA Professional Edition is needed.


2 days

Instructor-Led Training Instructor-Led Training

Some courses can be purchased from this site; refer to our public training schedule for more information.

For all other courses, or to arrange a private training session, please contact your FireEye account manager.

Thank you.