Home > Cyber News > Linux.PNScan Malware Brute-Forces Linux-Based Routers

Linux.PNScan Malware Brute-Forces Linux-Based Routers


September is expected to be a month riddled with malware. We have already seen several banking Trojans, some new and some renewed, and a strong wave of CrySiS/ Troldesh ransomware variants. However, this is far from everything happening on the malicious horizon at the moment. We just wrote about a Twitter-powered botnet compromising Android devices and dropping banking malware. Now we will focus on Linux.PNScan – an old Trojan with an improved version that is currently targeting routers running Linux-based firmware in India.

Related: Linux.Ekoms.1 Trojan Takes Screenshots and Records Audio

Research indicates that Linux.PNScan first appeared online in August 2015. That is when security firm Dr.Web disclosed two variants of the malware. Those variants were later detected targeting routers in September.

A Closer Look into Linux.PNScan Malware

According to research carried out by Dr. Web and MalwareMustDie!, the malware is an ELF binary specifically targeting routers on ARM, MIPs, or PowerPC architectures.

In previous attacks, the malware was deployed mostly for DDoS attacks, supporting ACK, SYN, and UDP packet floods. Previous versions of Linux.PNScan also had worm-like capabilities, enabling them to spread to other routers based on Linux firmware.

  • Linux.PNScan.1 was deployed in dictionary-based attacks attempting to brute-force other devices.
  • Linux.PNScan.2 was only detected to use three username – password combos: root/root; admin/admin; and ubnt/ubnt.

What’s New in Linux.PNScan Later Versions?

According to MalwareMustDie!, the malware has been updated and is now capable of attacking Linux routers running on x86 (i86) architecture, which is more common.

The researcher writes that:

The malware […] is hardcoded to aim [at the] segment (located in network area of Telangana and Kashmir region of India), where it was just spotted.

The researcher believes that these new attacks are an evolution of Linux.PNScan.2 because it continues to use only three set of admin credentials when brute-forcing other routers. No dictionary attack has been detected.

In case your router has been infected, you can refer to this router malware removal article for instructions.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree