New Variant of Linux.PNScan Installs Backdoors into Routers

A new variant of the Linux.PNScan Linux Trojan has been discovered. It targets embedded systems in India and installs backdoors upon success. It has advanced features in comparison to the first iteration and experts suspect that it might be of Russian origin.

The New Variant of Linux.PNScan Targets Linux Embedded Systems

The Linux.PNScan Trojan was discovered by security researchers last year when it targeted mainly machines running on the ARM, MIPS, and PowerPC architectures. A new variant of the malware has been identified that now attacks x86 Linux systems. According to the reports embedded platforms, such as home routers, are the main focus. Most of the intrusion attempts and campaigns have been localized in the Kashmir and Telangana regions of India.

Unlike the original version of the malware which used dictionary attacks, the new variant targets specific IP addresses of victim devices and attempts connection via the SSH protocol. The Trojan attempts to login to the target machines with the following username and password combinations: root;root; admin;admin; or ubnt;ubnt.

The security researchers have discovered that the developers have used a cross compiler for i686 using an SSL-enabled configuration. Upon successful infiltration, the Trojan forks its process four times (in addition to the main process). The next actions are the creation of files on the device’s memory, setting up a daemon instance and listening on two TCP ports. Other malicious actions include targeting further victims and confusing HTTP/1.1 traffic via SSL to twitter.com on port 443. The worm also has brute force capabilities that it can utilize against the targets.

By sending packets to twitter.com the new Linux.PNScan variant can conceal its malicious traffic and prevent security analysis. As the SSL protocol uses a secure connection to the social network general audits cannot reveal any suspicious transfers. The newly discovered Trojan might have been active for some time ago, and the security experts suspect that it might be of Russian origin.

Was this content helpful?

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *