Linux.PNScan Trojan is Back Again! Indian x86 Linux Based Routers are on Target!

This is really a bad news for you, if you own an x86 Linux based router. A Linux.PNScan named Trojan is installing backdoor on all that routers, which are using x86 Linux architecture. This is an old Trojan which was first detected in August 2015, by security researchers of Dr Web. At that time this Linux.PNscan Trojan was infecting PowerPC, MIPS and ARM based routers.

A Brief Report on Old Linux.PNScan Trojan

Old Linux.PNScan Trojan was designed by its authors to perform Distributed Denial of Service (DDoS) Attacks. After infecting ARM, MIPS and PowerPC based routers, this Trojan was capable to organize ACK Flood, SYN Flood and UDP flood based DDoS attacks. This Trojan was infecting all the routers which were making contact with it. It was also capable to perform brute force attack. But it was using only three username and password combinations.

User Name: admin Password: admin

User Name: root Password: root

User Name: ubnt Password: ubnt

How New Linux.PNScan Trojan is Doing Its Work?

According to security researchers of Dr Web, it is an updates version of Old Linux.PNScan Trojan. This Trojan has been complied by its authors with the help of ‘Toolchains” named compiler tool. Linux.PNScan has compatibility of GCC(GNU) 4.1.x. SSL enabled configuration has also been used by its authors to activate cross compiler option. This is hard coded Trojan, developed by its authors only to install backdoor in x86 Linux Based routers.

Hackers behind this Trojan, are using a twitter account to hide all the malicious traffic. After infecting an x86 Linux based router, it is creating some malicious files in system. These malicious files are listening to 2 ports which have been used by TCP. Trojan is sending specially crafted HTTP requests through SSL by using 443 port. This Trojan is capable to perform a dictionary attack too.

How to Detect This Trojan?

Linux.PNScan is creating some new files in the system. If these type of files are available in your router’s files system, you are also a victim. The list of files is as given below:

Permission Size Date Filename Function

-rw-r- - r-- 387 Aug 23 12:06 list2 < - - connected hosts

-rw-r- - r-- 4 Aug 23 12:02 MalwareFile.pid < - - pids

-rw-r- - r-- 0 Aug 23 12:02 daemon.log < - - malware log

-rw-r- - r-- 35 Aug 23 12:02 login2 < - - brute auth

drwxr-xr-x 4096 Aug 23 12:02 files/ < - - updates/downloads

This Trojan is in direct contact with some special hardcoded IP Address (183.83.0.0/16). These IP addresses have been detected by security researchers and these are form Kashmir and Telangana Regions of INDIA. Dr Web said, the region of this malware might be in Russia.