According to new research of Malware MustDie!, a remerging Malware dubbed Linux.PNScan was found targeting Routers based on X86 Linux in an attempt to install backdoors on them.
What is Linux. PNScan Malware?
Based on threat detection last year, it is an ELF binary that targets routers running on ARM, MIPs or PowerPC architectures.
According to MalwareMustDie’s blog-post, the new variant of the Trojan was spotted in the IP Address Block 126.96.36.199/16 and it used three sets of admin credentials for brute-forcing its way in. The Malware was compiled by Tool chains with cross compiler option for i686 using the SSL enabled configuration, as in order to communicate with Twitter in needs SSL capability.
When the threat infects a device, it will fork multiple times, creating certain files on the infected system, daemonizing and listening on two TCP Ports, targeting the above mentioned IP address range, which has been hard-coded into the malware, and sends HTTP/1.1 requests via SSL to twitter.com on port 443 to hide its malicious traffic.
How to Protect from Automated Attacks?
Although, one may consider implementing an IDS and deploy the signature for detection of Linux.PnScan, however, almost all of the targets have SSH enabled routers; hence, we shift our focus to Routers.
Protect your Router, if you are infected.
Reset your Router to Factory Default settings, which can be done either through the web-console panel or through the hardware reset, which is provided at the back-side of the router.
Enable WPA/WPS security settings for Router
Change the passwords of the Admin console and that of the Wi-Fi. Furthermore, kindly follow the password implementation guidelines i.e. Use Stronger Passwords.
Enable and allow MAC address filtering, which allows you to define a list of devices and only those devices in your network.
Disable console access to your Router from Internet.
This is a generic prevention strategy, in case you have SSH service listening on port 22, modify the service port and make it listen on some other non-standard high port. However, the ability to change the SSH port is made available in a few router models.
Consult the device documentation before committing these changes.