Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Linux Trojan Brute Forces Routers to Install Backdoors

A Linux Trojan that emerged more than a year ago is once again actively targeting routers in an attempt to install backdoors on them.

A Linux Trojan that emerged more than a year ago is once again actively targeting routers in an attempt to install backdoors on them.

Dubbed Linux.PNScan, the threat was detailed last year, when it was targeting mainly devices with ARM, MIPS, or PowerPC architectures. Now, security researchers from Malware Must Die! say that this ELF worm is hitting x86 Linux systems, with a focus on embedded platforms, specifically those in the “network area of Telangana and Kashmir region of India.”

Last year, Doctor Web researchers suggested that the Trojan might have been installed on routers attacked by its authors, who exploited the ShellShock vulnerability running a script with corresponding settings. The threat, researchers said, was designed for the sole purpose of brute forcing routers and install a script on them which in turn would download a backdoor based on the router architecture (ARM, MIPS, or PowerPC).

The worm Malware Must Die! researchers have observed recently appears to be Linux.PNScan.2, a variation of the original Trojan. Unlike Linux.PNScan.1, which attempted to crack login combinations using a special dictionary, this threat targets specific IP addresses and attempts to connect to them via SSH using one of the following combinations: root;root; admin;admin; or ubnt;ubnt.

While analyzing the threat, Malware Must Die! researchers discovered that it was compiled using Toolchains and that it showed GCC(GNU) 4.1.x compatibility. The security researchers also discovered that the worm’s author used a cross compiler option for i686 using the SSL enabled configuration.

Once on the infected device, the malware was seen forking its process 4 times (in addition to the main process), creating specific files on the device, daemonizing and listening to 2 TCP ports, targeting hardcoded IPs, and confusing traffic by sending HTTP/1.1 requests via SSL to on port 443. The worm is also capable of brute forcing logins.

By sending requests to, Linux.PNScan can hide its malicious traffic and hinder analysis. The generated malicious traffic cannot be distinguished from genuine traffic. While SSL traffic to Twitter is observed, it is encrypted, and nothing appears abnormal in the SSH scanning, researchers reveal (they consulted with ETLabs on this, to no avail).

The malware, researchers say, is re-infecting i86 Linux machines in the specified target network, and it might have been doing so for the past six months, although it was believed to be inactive. The worm hits one embedded system, then scans for more and attempts to infiltrate them as well. The attacker, researchers suggest, might be of Russian origin.

Although the malware is not new, it is important to raise awareness on an active threat, the security researchers say. Infected routers, they note, would have traces of specific processes running during the initial infection, while the network connectivity would reveal any launched attack. Moreover, each connected target is logged in the “list2” file, and the brute list trace can be found in this file.

Related: Self-Spreading Linux Trojan Creates P2P Botnet

Related: New Remaiten Malware Builds Botnet of Linux-Based Routers

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...