Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Linux.PNScan Malware Brute-Forces Linux-Based Routers

malware-infections-stforum

September is expected to be a month riddled with malware. We have already seen several banking Trojans, some new and some renewed, and a strong wave of CrySiS/ Troldesh ransomware variants. However, this is far from everything happening on the malicious horizon at the moment. We just wrote about a Twitter-powered botnet compromising Android devices and dropping banking malware. Now we will focus on Linux.PNScan – an old Trojan with an improved version that is currently targeting routers running Linux-based firmware in India.

Related: Linux.Ekoms.1 Trojan Takes Screenshots and Records Audio

Research indicates that Linux.PNScan first appeared online in August 2015. That is when security firm Dr.Web disclosed two variants of the malware. Those variants were later detected targeting routers in September.


A Closer Look into Linux.PNScan Malware

According to research carried out by Dr. Web and MalwareMustDie!, the malware is an ELF binary specifically targeting routers on ARM, MIPs, or PowerPC architectures.

In previous attacks, the malware was deployed mostly for DDoS attacks, supporting ACK, SYN, and UDP packet floods. Previous versions of Linux.PNScan also had worm-like capabilities, enabling them to spread to other routers based on Linux firmware.

  • Linux.PNScan.1 was deployed in dictionary-based attacks attempting to brute-force other devices.
  • Linux.PNScan.2 was only detected to use three username – password combos: root/root; admin/admin; and ubnt/ubnt.

What’s New in Linux.PNScan Later Versions?

According to MalwareMustDie!, the malware has been updated and is now capable of attacking Linux routers running on x86 (i86) architecture, which is more common.

The researcher writes that:

The malware […] is hardcoded to aim [at the] 183.83.0.0/16 segment (located in network area of Telangana and Kashmir region of India), where it was just spotted.

The researcher believes that these new attacks are an evolution of Linux.PNScan.2 because it continues to use only three set of admin credentials when brute-forcing other routers. No dictionary attack has been detected.

In case your router has been infected, you can refer to this router malware removal article for instructions.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.