Pierluigi Paganini August 25, 2016

The Linux Trojan Linux.PNScan is back and it is actively targeting routers based on x86 Linux in an attempt to install backdoors on them.

Yesterday I wrote about a new Linux Trojan dubbed Linux.Rex.1, a new Linux malware that is capable of self-spreading and creating a peer-to-peer botnet, now experts from Malware Must Die discovered a new strain of malware that emerged more than a year ago.

The Linux Trojan is Linux.PNScan, it was first spotted last year when it was used to infect devices based on ARM, MIPS, or PowerPC architectures.

Now the threat was discovered in the wild actively targeting routers based on x86 Linux in an attempt to install backdoors on them.

“As per shown in title, it’s a known ELF malware threat, could be a latest variant of “Linux/PnScan”, found in platform x86-32 that it seems run around the web within infected nodes before it came to my our hand. This worm is more aiming embed platform and I am a bit surprised to find i86 binary is hitting some Linux boxes.” states the analysis published by Malware Must Die! 

“This threat came to MalwareMustDie ELF team task before and I posted analysis in Mon Sep 28, 2015 on kernelmode [link] along with its details and threat, I thought the threat is becoming inactive now and it looks like I’m wrong, as the malware works still in infection now as worm functions and is hardcoded to aim 183.83.0.0 / 16 segment (located in network area of Telangana and Kashmir region of India), where it was just spotted. Since I never write about this threat in this blog (except kernelmode), it will be good to raise awareness to an active working and alive worm.”

The new strain of Linux.PNScan.2, unlike the original variant Linux.PNScan.1, which attempted to brute force router login using a special dictionary, the new threat targets specific IP addresses and attempts to establish an SSH connection by using the following credentials:combinations:

• root;root;
• admin;admin;
• ubnt;ubnt.

The new Linux.PNScan.2 was compiled on compatibility of GCC(GNU) 4.1.x via the compiler tool Toolchains with cross compiler option for i686 using the SSL enabled configuration.

When the threat infects a device, it will fork its process 4 times, creating certain files on the infected system, daemonizing and listening to 2 TCP ports, targeting hardcoded IPs, and sending HTTP/1.1 requests via SSL to twitter.com on port 443 to hide its malicious traffic.

As its predecessor, also this variant can brute forcing logins.

The malware researchers who analyzed the threat suggest it might be of Russian origin.

“I guess this happened from 6 months ago until now, and the hacker is sitting there in Russia network for accessing any accessible infected nodes.” continues the analysis.

The experts from Malware Must Die! also published a list of infection symptoms, routers have specific processes running in the initial stage of the infection, the launched attack can be seen in the network connectivity, each connected target is logged in the “list2” file and the brute list is traced in file “login2.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Linux malware, Linux.PNScan)