The detection identifies potential Mirai botnet activity targeting PowerPC or Cisco 4500 devices via TR-069 protocol, indicating compromised IoT devices spreading within the network. SOC teams should proactively hunt for this behavior to identify and isolate infected devices before they contribute to larger botnet operations in the Azure Sentinel environment.
YARA Rule
rule Mirai_PPC_Cisco : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - PowerPC or Cisco 4500"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
MD5= "dbd92b08cbff8455ff76c453ff704dc6"
SHA1 = "6933d555a008a07b859a55cddb704441915adf68"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
( $miname and $iptables1 and $iptables2 and $procnet ) and
hash.sha1(0,filesize) == "6933d555a008a07b859a55cddb704441915adf68"
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A network administrator is using Cisco Configuration Professional to configure a Cisco 4500 series switch.
Filter/Exclusion: Check for the presence of known admin credentials or use of legitimate configuration tools. Exclude traffic originating from known admin workstations or with source IP in the internal management network.
Scenario: A scheduled job runs SolarWinds Network Configuration Manager to push configuration updates to Cisco 4500 switches.
Filter/Exclusion: Filter out traffic associated with known configuration management tools. Exclude traffic with specific source IPs or user agents associated with legitimate configuration management systems.
Scenario: A system administrator uses PuTTY to remotely access a Cisco 4500 switch to perform routine maintenance.
Filter/Exclusion: Exclude traffic from known admin workstations or users with elevated privileges. Filter based on SSH session metadata or user authentication logs.
Scenario: A PowerPC-based server is running a legitimate service that communicates with a Cisco 4500 switch for network monitoring.
Filter/Exclusion: Exclude traffic from known PowerPC-based servers used for monitoring or management. Filter based on device type, IP range, or service name.
Scenario: A Cisco ASA firewall is configured to send logs to a Cisco 4500 switch for centralized logging.
Filter/Exclusion: Exclude traffic from known internal syslog servers or devices that are part of the network logging infrastructure. Filter based on destination IP or log source identifiers.