September is expected to be a month riddled with malware. We have already seen several banking Trojans, some new and some renewed, and a strong wave of CrySiS/ Troldesh ransomware variants. However, this is far from everything happening on the malicious horizon at the moment. We just wrote about a Twitter-powered botnet compromising Android devices and dropping banking malware. Now we will focus on Linux.PNScan – an old Trojan with an improved version that is currently targeting routers running Linux-based firmware in India.
Research indicates that Linux.PNScan first appeared online in August 2015. That is when security firm Dr.Web disclosed two variants of the malware. Those variants were later detected targeting routers in September.
A Closer Look into Linux.PNScan Malware
According to research carried out by Dr. Web and MalwareMustDie!, the malware is an ELF binary specifically targeting routers on ARM, MIPs, or PowerPC architectures.
In previous attacks, the malware was deployed mostly for DDoS attacks, supporting ACK, SYN, and UDP packet floods. Previous versions of Linux.PNScan also had worm-like capabilities, enabling them to spread to other routers based on Linux firmware.
- Linux.PNScan.1 was deployed in dictionary-based attacks attempting to brute-force other devices.
- Linux.PNScan.2 was only detected to use three username – password combos: root/root; admin/admin; and ubnt/ubnt.
What’s New in Linux.PNScan Later Versions?
According to MalwareMustDie!, the malware has been updated and is now capable of attacking Linux routers running on x86 (i86) architecture, which is more common.
The researcher writes that:
The malware […] is hardcoded to aim [at the] 188.8.131.52/16 segment (located in network area of Telangana and Kashmir region of India), where it was just spotted.
The researcher believes that these new attacks are an evolution of Linux.PNScan.2 because it continues to use only three set of admin credentials when brute-forcing other routers. No dictionary attack has been detected.
In case your router has been infected, you can refer to this router malware removal article for instructions.