The hypothesis is that the detection rule identifies potential Mirai Botnet TR-069 Worm activity targeting MIPS LSB devices by monitoring suspicious network traffic patterns associated with known C2 communication signatures. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they spread to critical infrastructure.
YARA Rule
rule Mirai_MIPS_LSB : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - MIPS LSB"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
MD5 = "bf650d39eb603d92973052ca80a4fdda"
SHA1 = "03ecd3b49aa19589599c64e4e7a51206a592b4ef"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
$miname and $iptables1 and $iptables2 and $procnet and
hash.sha1(0,filesize) == "03ecd3b49aa19589599c64e4e7a51206a592b4ef"
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled TR-069 Device Discovery Job
Description: A legitimate network management task that uses TR-069 protocol to discover and configure devices on the network.
Filter/Exclusion: device_type: "TR-069" or device_vendor: "Cisco" or device_vendor: "Ubiquiti"
Scenario: Firmware Update via TR-069
Description: A legitimate firmware update process initiated by a network management system using TR-069 protocol.
Filter/Exclusion: action: "firmware_update" or firmware_version: "known_good_version"
Scenario: Admin Access via TR-069 for Configuration
Description: A system administrator using TR-069 to remotely configure a router or modem.
Filter/Exclusion: user_agent: "admin_tool" or user: "root" or user: "admin"
Scenario: Network Inventory Scan Using TR-069
Description: A network inventory tool that uses TR-069 to gather information about connected devices.
Filter/Exclusion: tool_name: "SolarWinds" or tool_name: "PRTG" or tool_name: "Nagios"
Scenario: IoT Device Registration via TR-069
Description: A new IoT device registering itself with the network management system using TR-069.
Filter/Exclusion: event_type: "device_registration" or device_model: "known_IoT_device"