The hypothesis is that the detection rule identifies potential Mirai Botnet TR-069 worm activity through ARM LSB-related behavior, which may indicate compromised IoT devices communicating with command-and-control servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they spread within the network.
YARA Rule
rule Mirai_ARM_LSB : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - ARM LSB"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
MD5= "eba670256b816e2d11f107f629d08494"
SHA1 = "8a25dee4ea7d61692b2b95bd047269543aaf0c81"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
$miname and $iptables1 and $iptables2 and $procnet and
hash.sha1(0,filesize) == "8a25dee4ea7d61692b2b95bd047269543aaf0c81"
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System Update via Ansible
Description: A legitimate system update process using Ansible may trigger the rule due to ARM LSB-related system calls during package installation.
Filter/Exclusion: ansible in the process name or ansible-playbook in the command line.
Scenario: Scheduled Job Using Cron with ARM LSB Tools
Description: A scheduled job using cron to run ARM LSB-based diagnostic tools (e.g., arm-linux-gnueabihf-ld) may be flagged as suspicious.
Filter/Exclusion: cron in the process name or @scheduled in the crontab entry.
Scenario: Containerized Application Using ARM LSB Libraries
Description: A Docker container running an application that requires ARM LSB libraries (e.g., a custom IoT device manager) may trigger the rule.
Filter/Exclusion: docker in the process name or container in the process environment.
Scenario: Network Configuration Tool with ARM LSB Components
Description: A network configuration tool (e.g., iproute2 or nmcli) that uses ARM LSB binaries during setup may be flagged.
Filter/Exclusion: iproute2 or nmcli in the process name or network in the command line.
Scenario: Admin Task Using ARM LSB for Firmware Analysis
Description: An administrator using ARM LSB tools (e.g., objdump, nm, or readelf) for firmware analysis may trigger the rule.
Filter/Exclusion: objdump or nm in the process name or firmware in the command line.