Devices exhibiting unusual TR-069 protocol activity, such as frequent connection attempts to known vulnerable IoT devices, may indicate the presence of a Mirai botnet propagating through TR-069 worm techniques. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential botnet infections before they lead to large-scale DDoS attacks or network compromise.
YARA Rule
rule Mirai_Generic_Arch : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - Generic Architecture"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
$miname and $iptables1 and $iptables2 and $procnet
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: System update via Puppet or Ansible
Description: A legitimate system update process using Puppet or Ansible may trigger the rule due to TR-069 protocol traffic during configuration synchronization.
Filter/Exclusion: Use process.name != "puppet" and process.name != "ansible" or check for known update job names in the process.name field.
Scenario: Scheduled TR-069 device discovery by network management tool
Description: Network management tools like SolarWinds or PRTG may perform scheduled TR-069 discovery to inventory devices on the network.
Filter/Exclusion: Filter by process.name != "SolarWinds" or process.name != "PRTG" and check for known discovery job names in the event data.
Scenario: Admin task using Telnet for remote configuration
Description: An administrator may use Telnet to configure TR-069-enabled devices during routine maintenance or troubleshooting.
Filter/Exclusion: Exclude events where process.name == "telnet" and the user is a known admin account (e.g., user.name == "admin" or user.name == "root").
Scenario: Automated backup job using rsync or scp
Description: A backup job using rsync or scp may inadvertently trigger the rule if it interacts with TR-069-enabled devices during data transfer.
Filter/Exclusion: Filter by process.name != "rsync" and process.name != "scp" or check for known backup job names in the event data.
Scenario: IoT device firmware update via TR-069 protocol
Description: A legitimate firmware update to an IoT device using TR-069 protocol may be flagged as suspicious activity.
Filter/Exclusion: Use `process.name == “firmware_update