Linux.PnScan – How to Protect



India 29 August 2016: According to new research of MalwareMustDie!, a remerging Malware dubbed Linux.PNScan was found targeting Routers based on X86 Linux in an attempt to install backdoors on them.

What is Linux. PNScan Malware?


Based on threat detection last year, it is an ELF binary that targets routers running on ARM, MIPs or PowerPC architectures.

According to MalwareMustDie’s blog-post, the new variant of the Trojan was spotted in the IP Address Block 183.83.0.0/16 and it used three sets of admin credentials for brute-forcing its way in. The Malware was compiled by Tool chains with cross compiler option for i686 using the SSL enabled configuration, as in order to communicate with Twitter in needs SSL capability.

When the threat infects a device, it will fork multiple times, creating certain files on the infected system, daemonizing and listening on two TCP Ports, targeting the above mentioned IP address range, which has been hard-coded into the malware, and sends HTTP/1.1 requests via SSL to twitter.com on port 443 to hide its malicious traffic.

How to Protect from Automated Attacks?

Although, one may consider implementing an IDS and deploy the signature for detection of Linux.PnScan, however, almost all of the targets have SSH enabled routers; hence, we shift our focus to Routers.

Protect your Router, if you are infected.
o Reset your Router to Factory Default settings, which can be done either through the web-console panel or through the hardware reset, which is provided at the back-side of the router.
o Enable WPA/WPS security settings for Router
o Change the passwords of the Admin console and that of the Wi-Fi. Furthermore, kindly follow the password implementation guidelines i.e. Use Stronger Passwords.
o Enable and allow MAC address filtering, which allows you to define a list of devices and only those devices in your network.
o Disable console access to your Router from Internet.
o This is a generic prevention strategy, in case you have SSH service listening on port 22, modify the service port and make it listen on some other non-standard high port. However, the ability to change the SSH port is made available in a few router models.
o Consult the device documentation before committing these changes.

eScan, one of the leading Anti-Virus & Content Security solutions for Desktops, Smartphones and Servers, is developed and marketed by MicroWorld. It is powered by innovative and futuristic technologies, such as MWL Technology, DIRC Technology, NILP Technology and sophisticated Anti-Virus Heuristic Algorithms that not only provides protection from current threats, but also provides proactive protection against evolving threats. It has achieved several certifications and awards from some of the most prestigious testing bodies, notable among them being AV-Comparatives, Virus Bulletin, AV-Test and ICSA labs. Combining the power of various innovative technologies, eScan provides Multi-level Real-time Protection to digital devices and Networks. For more information, visit www.escanav.com