Security News PNScan Linux Trojan Resurfaces with New Attacks Targeting Routers in India

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
A trojan thought to have died out resurfaced with new attacks and a new and improved version, launching new attacks on routers running Linux-based firmware located in India's cyber-space.

Linux.PNScan appeared online in August 2015, when Dr.Web first reported on two variants, which were later seen attacking routers in late September of the same year.

First Linux.PNScan versions targeted ARM, MIPs, or PowerPC architectures
Based on analysis from Dr.Web and security researcher MalwareMustDie!, we know that Linux.PNScan is an ELF binary that targets routers running on ARM, MIPs, or PowerPC architectures.

The trojan was used mainly for DDoS attacks, supporting ACK, SYN, and UDP packet floods. Additionally, PNScan included worm-like features, with the ability to spread to other routers that were also using Linux-based firmware.

Linux.PNScan.1 used dictionary-based attacks in its attempts to brute-force other devices, while Linux.PNScan.2 used only three username - password combos: root/root; admin/admin; and ubnt/ubnt.

New version resurfaces with x86 support, attacks in India
Attacks with this trojan have slowly died down after the initial detection, but according to MalwareMustDie!, the trojan received an update, allowing it to also target Linux routers running on the more popular x86 (i86) architecture.

Since then, Linux.PNScan has made a comeback, being deployed in attacks in the past six months.

"I thought the threat is becoming inactive now and it looks like I'm wrong," says MalwareMustDie!. "The malware [...] is hardcoded to aim [at the] 183.83.0.0/16 segment (located in network area of Telangana and Kashmir region of India), where it was just spotted."

Based on the features detected by MalwareMustDie!, this seems to be an evolution of Linux.PNScan.2, since it continues to use only three set of admin credentials when brute-forcing other nearby routers, and not a dictionary attack.

Detecting infected routers is a little bit tricky, but PNScan creates a series of files on compromised devices, as listed below:

permission size date filename function
----------------------------------------------------------------
-rw-r--r-- 387 Aug 23 12:06 list2 <-- connected hosts
-rw-r--r-- 4 Aug 23 12:02 MalwareFile.pid <-- pids
-rw-r--r-- 0 Aug 23 12:02 daemon.log <-- malware log
-rw-r--r-- 35 Aug 23 12:02 login2 <-- brute auth
drwxr-xr-x 4096 Aug 23 12:02 files/ <-- updates/downloads

Read more: PNScan Linux Trojan Resurfaces with New Attacks Targeting Routers in India
 

Akshay Gupta

New Member
Aug 25, 2016
7
Hey after deleting sysnetwrk.exe file from dsq folder I am not to connect to server and not able to use browser any more showing no interest connection? Plz help me what to do?
 
  • Like
Reactions: Logethica

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top