Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Linux Trojan Brute Forces Routers to Install Backdoors

A Linux Trojan that emerged more than a year ago is once again actively targeting routers in an attempt to install backdoors on them.

A Linux Trojan that emerged more than a year ago is once again actively targeting routers in an attempt to install backdoors on them.

Dubbed Linux.PNScan, the threat was detailed last year, when it was targeting mainly devices with ARM, MIPS, or PowerPC architectures. Now, security researchers from Malware Must Die! say that this ELF worm is hitting x86 Linux systems, with a focus on embedded platforms, specifically those in the “network area of Telangana and Kashmir region of India.”

Last year, Doctor Web researchers suggested that the Trojan might have been installed on routers attacked by its authors, who exploited the ShellShock vulnerability running a script with corresponding settings. The threat, researchers said, was designed for the sole purpose of brute forcing routers and install a script on them which in turn would download a backdoor based on the router architecture (ARM, MIPS, or PowerPC).

The worm Malware Must Die! researchers have observed recently appears to be Linux.PNScan.2, a variation of the original Trojan. Unlike Linux.PNScan.1, which attempted to crack login combinations using a special dictionary, this threat targets specific IP addresses and attempts to connect to them via SSH using one of the following combinations: root;root; admin;admin; or ubnt;ubnt.

While analyzing the threat, Malware Must Die! researchers discovered that it was compiled using Toolchains and that it showed GCC(GNU) 4.1.x compatibility. The security researchers also discovered that the worm’s author used a cross compiler option for i686 using the SSL enabled configuration.

Once on the infected device, the malware was seen forking its process 4 times (in addition to the main process), creating specific files on the device, daemonizing and listening to 2 TCP ports, targeting hardcoded IPs, and confusing traffic by sending HTTP/1.1 requests via SSL to twitter.com on port 443. The worm is also capable of brute forcing logins.

By sending requests to twitter.com, Linux.PNScan can hide its malicious traffic and hinder analysis. The generated malicious traffic cannot be distinguished from genuine traffic. While SSL traffic to Twitter is observed, it is encrypted, and nothing appears abnormal in the SSH scanning, researchers reveal (they consulted with ETLabs on this, to no avail).

The malware, researchers say, is re-infecting i86 Linux machines in the specified target network, and it might have been doing so for the past six months, although it was believed to be inactive. The worm hits one embedded system, then scans for more and attempts to infiltrate them as well. The attacker, researchers suggest, might be of Russian origin.

Advertisement. Scroll to continue reading.

Although the malware is not new, it is important to raise awareness on an active threat, the security researchers say. Infected routers, they note, would have traces of specific processes running during the initial infection, while the network connectivity would reveal any launched attack. Moreover, each connected target is logged in the “list2” file, and the brute list trace can be found in this file.

Related: Self-Spreading Linux Trojan Creates P2P Botnet

Related: New Remaiten Malware Builds Botnet of Linux-Based Routers

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.