A mysterious piece of malware affecting Cisco routers appears to have infected equipment in many more countries than initially thought, an internet-wide scan of infected devices by researchers has shown.
Security vendor FireEye this week detailed a router implant it named "SYNful Knock" which modifies device firmware to keep a peristent presence on victims' networks, and can be used to install software like malicious backdoors.
SYNful Knock supports up to 100 modules that are activated through a particular sequence of non-standard, specially crafted TCP packets sent to an infected router. It can be difficult to detect on networks, thanks to the special TCP packets used for pseudo-authentication, the researchers wrote.
Three Cisco routers are known to be targeted by the malware: models 1841, 2811 and 3825.
At first, the FireEye researchers found SYNful Knock in 14 devices in four countries.
However, after conducting a scan of the entire routed IPv4 address space using the University of Michigan's ZMap tool, the researchers found evidence pointing to SYNful Knock infections in 20 countries, with a total of 79 devices affected.
Most of the compromised devices are in the United states, followed by Lebanon with 12 and Russia with 8. No infections in Australia are listed.
It's currently unclear whether all the infected routers found by the researchers are running SYNful Knock or have been set up to respond to the sequence of TCP control packets sent out by attackers to trace their origins, with "honeypot" devices.
FireEye has not identified who it believes is behind SYNful Knock, but indicated it was likely a state-sponsored piece of malware.
The security vendor suggested a two-pronged approach using direct access to routers (if possible), as well as via networks, to detect and remove SYNful Knock infections if they are found.