發現這些被植入的 router 被散佈在四個地區：
Mandiant can confirm the existence of at least 14 such router implants spread across four different countries: Ukraine, Philippines, Mexico, and India.
- Cisco 1841 router
- Cisco 2811 router
- Cisco 3825 router
SYNful Knock is a stealthy modification of the router's firmware image that can be used to maintain persistence within a victim's network. It is customizable and modular in nature and thus can be updated once implanted. Even the presence of the backdoor can be difficult to detect as it uses non-standard packets as a form of pseudo-authentication.
最主要的重點是把記憶體保護機制關閉 (都變成 RW)：
The malware forces all TLB Read and Write attributes to be Read-Write (RW). We believe this change is made to support the hooking of IOS functions by loaded modules.
文後也有提到 Cisco 的文章，如何 dump image 分析：「Offline Analysis of IOS Image Integrity」。