A Linux Trojan that emerged more than a year ago is once again actively targeting routers in an attempt to install backdoors on them.
Dubbed Linux.PNScan, the threat was detailed last year, when it was targeting mainly devices with ARM, MIPS, or PowerPC architectures. Now, security researchers from Malware Must Die! say that this ELF worm is hitting x86 Linux systems, with a focus on embedded platforms, specifically those in the “network area of Telangana and Kashmir region of India.”
Last year, Doctor Web researchers suggested that the Trojan might have been installed on routers attacked by its authors, who exploited the ShellShock vulnerability running a script with corresponding settings. The threat, researchers said, was designed for the sole purpose of brute forcing routers and install a script on them which in turn would download a backdoor based on the router architecture (ARM, MIPS, or PowerPC).
The worm Malware Must Die! researchers have observed recently appears to be Linux.PNScan.2, a variation of the original Trojan. Unlike Linux.PNScan.1, which attempted to crack login combinations using a special dictionary, this threat targets specific IP addresses and attempts to connect to them via SSH using one of the following combinations: root;root; admin;admin; or ubnt;ubnt.
While analyzing the threat, Malware Must Die! researchers discovered that it was compiled using Toolchains and that it showed GCC(GNU) 4.1.x compatibility. The security researchers also discovered that the worm’s author used a cross compiler option for i686 using the SSL enabled configuration.
Once on the infected device, the malware was seen forking its process 4 times (in addition to the main process), creating specific files on the device, daemonizing and listening to 2 TCP ports, targeting hardcoded IPs, and confusing traffic by sending HTTP/1.1 requests via SSL to twitter.com on port 443. The worm is also capable of brute forcing logins.
By sending requests to twitter.com, Linux.PNScan can hide its malicious traffic and hinder analysis. The generated malicious traffic cannot be distinguished from genuine traffic. While SSL traffic to Twitter is observed, it is encrypted, and nothing appears abnormal in the SSH scanning, researchers reveal (they consulted with ETLabs on this, to no avail).
The malware, researchers say, is re-infecting i86 Linux machines in the specified target network, and it might have been doing so for the past six months, although it was believed to be inactive. The worm hits one embedded system, then scans for more and attempts to infiltrate them as well. The attacker, researchers suggest, might be of Russian origin.
Although the malware is not new, it is important to raise awareness on an active threat, the security researchers say. Infected routers, they note, would have traces of specific processes running during the initial infection, while the network connectivity would reveal any launched attack. Moreover, each connected target is logged in the "list2" file, and the brute list trace can be found in this file.