[Blaze]

Doctor Web security researchers examined a new dangerous Trojan for routers running Linux. The Trojan named Linux.PNScan.1 can infect devices with ARM, MIPS, or PowerPC architectures. Using this and other dangerous applications uploaded by Linux.PNScan.1 to the compromised device, cybercriminals can hack administrative control panel of PHPMyAdmin, which is used to manage relational databases, and brute-force authentication credentials to get unauthorized access to various devices and servers via the SSH protocol.

http://news.drweb.com/show/?i=9548&lng=en&c=5

[unixfreaxjp]

Bart, this is NOT new, we posted it way before and also blogged it, is this thread: http://www.kernelmode.info/forum/viewto ... =16&t=3480
cc: @Xylit0l @EP_X0FF please help to merge the thread w/thanks

[Blaze]

I missed that post, probably due to the naming Dr. Web gave it. Thanks for your feedback mate and yes, please merge the post if possible :)

[tWiCe]

Bart, this is NOT new, we posted it way before and also blogged it, is this thread: http://www.kernelmode.info/forum/viewto ... =16&t=3480
cc: @Xylit0l @EP_X0FF please help to merge the thread w/thanks

You are wrong. Sample you described at that topic is a real "Tool". But the samples from Dr.Web's report are trojans.

Linux.PNScan.1 is based on original "pnscan" tool sources developed by reasearchers, but it's modified to automatically drop malicious sh script to the target system.
Furthermore, Linux.PNScan.2 has a pure worm capabilities. After initial infection it will spread without any actions from botnet makers.

Please have a closer look at technical details published by Dr.Web:

Linux.PNScan.1: http://vms.drweb.com/virus/?i=4656268
Linux.PNScan.2: http://vms.drweb.com/virus/?i=7299536

[unixfreaxjp]

Linux.PNScan.1 is based on original "pnscan" tool sources developed by reasearchers, but it's modified to automatically drop malicious sh script to the target system.
Furthermore, Linux.PNScan.2 has a pure worm capabilities. After initial infection it will spread without any actions from botnet makers.

good explanation. thank you, let's open & maintain this repo thread.

I missed that post

I did not confirm it deep, I must change that. Seems you did same too. We must fix it.
Let's check carefully to what already implemented in this main ELF repository root before posting http://www.kernelmode.info/forum/viewto ... =16&t=3471

[unixfreaxjp]

HOW THE PNSCAN WORK - FOR MITIGATION REFERENCE OF ABUSED ROUTERS

A sample was spotted by @TechHelpList, I analyzed.
Understanding the initial process detail of an infection that started SSH bruting attack conducted by this malware is inded a very important information for mitigation, due to the ELF malware of this variant is involved in globally hacking routers case that is now helping proxy-distributing well-known "other" windows malware via malicious DNAT proxy setting. This info is not found by Dr.Web explanation.

So here is the short explanation for the purpose:

Upon executed the initial process runs the random() and check its path to then open the "files" directory,
along with writing file "login2".
This malware write string "root;root;\nadmin;admin;\nubnt;ubnt;\n" to the "login2", fork itself and then quit.

Code: Select all

write(3, "root;root;\nadmin;admin;\nubnt;ubnt;\n", 35)
close(3) 

The forked instance process will grab the PID by syscall getpid() and set it up w/setsid() to then -
opening two files, the "daemon.log" for the soon to be executed daemon and the "[malwarefilename].pid" for the malware process main pid data (text).
During the process the workfiles of "good2" and "list2" will be created & filled with the nodes IP addresses data, it reads them and deleted the files.
This forked instance process is the main process of this malware, forked processes by hooking to a child stack (child_stack=0x8778b0) to self-cloned itself to another PID processes.

The first cloned process above is executed the self-daemon hook to INET in 0.0.0.0:9000 as a server.

And together with other cloned processes, all clones are using same method clone() syscall w/child_stack, it opened the (1) INET socket and (2) opens SSH connection to the listed IP and wait for the established ones.
The forked instance reading each clone return call for following up with the password bruting.
These clones is self-terminated upon timeout, idling the connection due to the established state.
Upon established the the first main fork process will execute ssh protocol communication for the login ssh attack.

I didn't write this paragraph until I tested, and it is positive now.. one cloned process by the main process (firstly forked one) opened another port for backdoor bound to 0.0.0.0:1337 with the same binding method on listening to the port 9000. So two ports are opened.

Another amusing fact is.. don't ask me why..it is as/per tested, one cloned process requested https to twitter.com :roll: See it yourself:


In this sample it extracted the 10,000 IP addresses to scan and the login to brute that I extracted from malware, I put together with the sample and its drops.
This malware is not making callbacks and backdooring in port 9000 & 1337 , where the actor is using it to access and fetch scan result written in the files mentioned above, so no actually CNC callback.
Obviously router's resource was drained during the bruting in progress so as long as the router's resource is available it will keep in high load average, no proper resource control in this malware. Some functions doesn't seem to run well too in non x86 arch.

For indication of infection, from outside of the box: the big connection activity or brute login in SSH outbound traffic are a symptoms, so does with the backdoor port opened. In some state may look like the affected router is in DoS state.
In the shell (from the inside the box) the above file activities will be an indicator to the infection.

Infected routers will definitely run the malware as root. Backdoor was opened and can be remotely gained to execute anything remotely, so instead to clean it normally to reset the factory setting and restore the backup settings is recommendable method, change the login credential afterward and then tune the router in more secure state.

Snips of initiated attack in progress:

Code: Select all

 IPv4  3408051  0t0  TCP pMMD-KICKS:38066->246.148.1.255:ssh (SYN_SENT)
 IPv4  3408052  0t0  TCP pMMD-KICKS:58726->246.148.2.0:ssh (SYN_SENT)
 IPv4  3408053  0t0  TCP pMMD-KICKS:39952->246.148.2.1:ssh (SYN_SENT)
 IPv4  3408054  0t0  TCP pMMD-KICKS:57184->246.148.2.2:ssh (SYN_SENT)
 IPv4  3408055  0t0  TCP pMMD-KICKS:40208->246.148.2.3:ssh (SYN_SENT)
 IPv4  3408056  0t0  TCP pMMD-KICKS:38367->246.148.2.4:ssh (SYN_SENT)
 IPv4  3408057  0t0  TCP pMMD-KICKS:40710->246.148.2.5:ssh (SYN_SENT)
 IPv4  3408058  0t0  TCP pMMD-KICKS:37068->246.148.2.6:ssh (SYN_SENT)

Samples
https://www.virustotal.com/en/file/9c28 ... /analysis/
https://www.virustotal.com/en/file/0ffa ... /analysis/
https://www.virustotal.com/en/file/86fb ... /analysis/
https://www.virustotal.com/en/file/5c8c ... /analysis/

#MalwareMustDie!

[tWiCe]

due to the ELF malware of this variant is involved in globally hacking routers case that is now helping proxy-distributing well-known "other" windows malware via malicious DNAT proxy setting. This info is not found by Dr.Web explanation.

I'm curious how does it make "malicious DNAT proxy setting" ? Did you find an infected router that found active C&C?

[unixfreaxjp]

due to the ELF malware of this variant is involved in globally hacking routers case that is now helping proxy-distributing well-known "other" windows malware via malicious DNAT proxy setting. This info is not found by Dr.Web explanation.

I'm curious how does it make "malicious DNAT proxy setting" ? Did you find an infected router that found active C&C?

Thanks for asking. Yes we found this malware in infecting some routers in this project. (access was closed just now since data was used by hackers to hack vulnerable routers, PM me for details)
All of the routers listed there are "compromised" with malicious DNAT.
With noted: It does not related to this malware activity (manually setup or maybe additional script..it was hacked w/root creds anyway..), yet apparently the malware was used to breed new routers for servicing a bad purpose.

[r3dbU7z]

I will dare to add a few the information on the given theme.
The matter is that the first sample pnscan2 daemon.armv4l.mod has been loaded by me on virustotal.com and the sample in drweb has been simultaneously sent.
28 Jul 2015 me the letter from drweb has come that the sample has received name PNScan2. The remark: I have no relation to PNScan1 about which at them is written in the report -- New Trojan for Linux infects routers
Since that moment I actively watch moving pnscan2. Also I consider that drweb in the news (see above) has strongly underestimated quantity of the infected devices. In my not full logs of over 2K entries IP-addresses which have received from files good2 with infected devices (at present they mostly are not accessible on ssh). Among the infected devices to me met not only routers but also NAS, web-servers, Raspberry Pi (TM), etc. And also one PowerXpert in the domain nasa.ad.etn.com (I what did not touch - swear!)
I am not an expert in reverse engineering malware, but in the sample pnscan2 daemon.i686.mod
there are such lines:

Code: Select all

load:082BCF0C 000022ED C мэйликов</span>\n\t\t</span>\n\t</div>\n\t<span class=\"b-payments__plus10-buy ui-button-main\" data-action=\"buy\">Активировать услугу</span>\n</div>\n</script>\n\n<script type=\"text/plain\" data-mru-fragment=\"models/user/active\">\n\t{\n\t\t\"name\": \"\",\n\t\t\"id\": \"\",\n\t\t\"email\": \"\",\n\t\t\"dir\": \"\",\n\t\t\"isVip\": false,\n\t\t\"isAdmin\": false,\n\t\t\"isOwner\": false,\n\t\t\"isInSandbox\": false\n\t}\n</script>\n\n\n\n\n<script type=\"text/plain\" data-mru-fragment=\"models/user/journal\">\n\t{\n\t\t\"name\": \"\",\n\t\t\"id\": \"\",\n\t\t\"email\": \"reevessosa13@mail.ru\",\n\t\t\"dir\": \"/mail/reevessosa13/\",\n\t\t\n\t\t\"isVip\": false,\n\t\t\"isCommunity\": false,\n\t\t\"isVideoChannel\": false\n\t}\n</script>\n\n<script type=\"text/plain\" class=\"b-date-time-options\">\n\t{\n\t\t\"months\": [\n\t\t\t\"январь\",\n\t\t\t\"февраль\",\n\t\t\t\"март\",\n\t\t\t\"апрель\",\n\t\t\t\"май\",\n\t\t\t\"июнь\",\n\t\t\t\"июль\",\n\

load:082BF1F9 00001864 C plaintProgressText\": \"Жалоба отправляется\",\n\t\t\"useFiled\": \"\",\n        \"complaintDoneText\": \"Жалоба принята\",\n        \"imageHost\": \"content.foto.my.mail.ru\",\n\n        \"activeEmail\": \"\",\n        \"journalEmail\": \"reevessosa13@mail.ru\",\n        \"isCommunity\": \"\",\n\n        \"preloader\": \"https://my1.imgsmail.ru/mail/ru/images/my/mmanim_spinner_photo_32.gif\",\n        \"bannerCounter\": 10,\n        \n            \"hideBanner\": true,\n        \n\n        \"videoAlbum\" : \"\",\n        \"videoHost\" : \"content.video.mail.ru\",\n        \"host\" : \"my.mail.ru\",\n        \"apiHost\": \"videoapi.my.mail.ru/videos/embed\",\n        \"videoPreviewHost\" : \"https://content.video.mail.ru\",\n        \"videoSwfurl\" : \"https://my1.imgsmail.ru/r/video2/uvpv3.swf?57\",\n\n        \"idForLayer\" : \"\",\n        \"linkForLayer\": \"\",\n        \n\n        \"navigation\" : \"\",\n        \"serverErrorMessage\": \"<span class=\\\"b-photo__server-err   

load:082C0A5D 00000093 C GET /mail/reevessosa13/ HTTP/1.1\r\nHost: my.mail.ru\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0\r\nAccept: */*\r\n\r\n                                                                                                                                                                                              
load:082C7574 000007F7 C =\"b-photo__indicate\">Загружаю...</div></div><div class=\"b-photo__close\"><span id=\"b-photo-close\" data-clns=\"d713136\" type=\"destroy\" class=\"b-photo__close-ico icon-mmico_close_white_24\"></span></div></div></script><script type=\"text/plain\" id=\"photo-select-friends-form\"><div class=\"photo-select-friends-form\"><input type=\"text\" name=\"\" value=\"\"  placeholder=\"Введите имя друга\" class=\"ui-form-input  photo-select-friends-input\">Или выберите друга из списка<ul class=\"photo-select-friends-list\" data-total=\"\"></ul><div class=\"photo-select-friends-buttons\"><a href=\"\" class=\"ui-button-main photo-select-friends-submit\">Выбрать</a><a href=\"\" class=\"ui-button-link ml10 photo-select-friends-cancel\">Отмена</a></div><div class=\"photo-select-friends-error\"data-error=\"Не удалось создать отметку\"data-error-already=\"Уже есть на фото\"></div></div></script><script type=\"text/plain\" id= 

load:082CA2C4 000009DF C ?{?lass=\"dropdown-title lightdrop\">links from:&#32;</span><div class=\"dropdown lightdrop\" onclick=\"open_menu(this)\"><span class=\"selected\">all time</span></div><div class=\"drop-choices lightdrop\"><a href=\"https://www.reddit.com/search?q=reevessosa13&t=hour\" class=\"choice\" >past hour</a><a href=\"https://www.reddit.com/search?q=reevessosa13&t=day\" class=\"choice\" >past 24 hours</a><a href=\"https://www.reddit.com/search?q=reevessosa13&t=week\" class=\"choice\" >past week</a><a href=\"https://www.reddit.com/search?q=reevessosa13&t=month\" class=\"choice\" >past month</a><a href=\"https://www.reddit.com/search?q=reevessosa13&t=year\" class=\"choice\" >past year</a></div></div></div></header><div class=\"contents\"></div><footer><p class=\"info\">there doesn't seem to be anything here</p></footer></div></div></div><div class=\"footer-parent\"><div by-zero class=\"footer rounded\"><div class=\"col\"><ul class=\"flat-vert hover\" ><li class=\"flat-vert title\">about</li><li ><a

I can assume that pnscan2 bot it was planned to use not just brute force and infection routers. Certainly I can be mistaken.

[unixfreaxjp]

Some correspondence, replies an confirmation on this thread, summarized as per below:

1. About the:

I did not confirm it deep, I must change that.

Firstly I kept my word, the report of http://www.kernelmode.info/forum/viewto ... 975#p26827 was made originally by my deep self observation, tried hard to get the sample ITW by myself, and lucky to be reported found on the router threat I monitor, frankly I never guessed it was PnScan since Tsunami, Bashdoor/GayFgt are in there too.

2. Regarding to :

Furthermore, Linux.PNScan.2 has a pure worm capabilities. After initial infection it will spread without any actions from botnet makers.

After investigation as per linked above. The "worm" theory is 100% correct, this malware does not need to have a "driver", it will hit and keeping hit the next nodes in segment network extracted within the logic in the binary, and the herder just scan for success and picking the report (if he wants) or hack it, from the targeted network via the backdoor domains. Pure evil in concept.

3. Just additional to be more clear on this too:

due to the ELF malware of this variant is involved in globally hacking routers case that is now helping proxy-distributing well-known "other" windows malware via malicious DNAT proxy setting. This info is not found by Dr.Web explanation.

I'm curious how does it make "malicious DNAT proxy setting" ? Did you find an infected router that found active C&C?

Thanks for asking. Yes we found this malware in infecting some routers in this project. (access was closed just now since data was used by hackers to hack vulnerable routers, PM me for details)
All of the routers listed there are "compromised" with malicious DNAT.

What I stated by "This info is not found by Dr.Web explanation." was the THIS = "the initial process detail of an infection that started SSH bruting attack conducted by this malware is inded a very important information for mitigation", that DNAT was not related to the context. However this malware was used to infect routers that the crook then modify the routers iptables to put new chain to DNAT routers to be proxy for OTHER infecting windows malware. (so sorry, I am forbidden to say the malware name openly, but I guess you know what I mean by now)

4. Regarding to naming matter:

Linux.PNScan.1 is based on original "pnscan" tool sources developed by reasearchers

I stick to Linux/Pscan as the scanner tool, since it was there all aloing with that name. But for this malware is Linux/PNScan, obviously different thing now, disregards to the possibility of same origins.

Best regards