Mirai Botnet TR-069 Worm - MIPS MSB

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Mirai Botnet TR-069 worm activity through MIPS MSB behavior, which could indicate compromised IoT devices communicating with a command-and-control server. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage botnet infections before they spread across the network.

YARA Rule

rule Mirai_MIPS_MSB : MALW
{
	meta:
		description = "Mirai Botnet TR-069 Worm - MIPS MSB" 
		author = "Felipe Molina / @felmoltor"
		date = "2016-12-04"
		version = "1.0" 
		MD5 = "0eb51d584712485300ad8e8126773941"	
		SHA1 = "18bce2f0107b5fab1b0b7c453e2a6b6505200cbd"
		ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"	
		ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759" 
		ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"

	strings:
		$miname = "Myname--is:"
		$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
		$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
		$procnet = "/proc/net/tcp"

	condition:
		$miname and $iptables1 and $iptables2 and $procnet and 
		hash.sha1(0,filesize) == "18bce2f0107b5fab1b0b7c453e2a6b6505200cbd"
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Legitimate TR-069 Device Management Traffic
  Description: A network administrator is using a tool like OpenWrt or DD-WRT to remotely configure a router via TR-069 protocol as part of routine maintenance.
  Filter/Exclusion: Exclude traffic from known admin IPs (e.g., src_ip = 192.168.1.100) or filter by user-agent containing “admin” or “management”.

• Scenario: Scheduled Job for Firmware Update
  Description: A scheduled job using Ansible or SaltStack is pushing firmware updates to multiple TR-069-enabled devices across the network.
  Filter/Exclusion: Exclude traffic with destination port 7547 (TR-069 default) and source IP from the internal management server (e.g., src_ip = 10.0.0.50).

• Scenario: Network Monitoring Tool Polling
  Description: A network monitoring tool like PRTG or SolarWinds is polling TR-069 devices for performance metrics.
  Filter/Exclusion: Exclude traffic from the monitoring server IP (e.g., src_ip = 10.10.10.10) or filter by destination port 7547 and source port 50000+.

• Scenario: Device Discovery via TR-069
  Description: A network discovery tool like Nmap or Masscan is scanning for TR-069-enabled devices using a known discovery method.
  Filter/Exclusion: Exclude traffic from the discovery tool’s IP (e.g., `src_ip = 192.168.1.2