Mirai Botnet TR-069 Worm - SPARC MSB

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential Mirai Botnet TR-069 worm activity through suspicious MSB (Management Server Binding) behavior, which could indicate unauthorized device communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage botnet infections and prevent network compromise.

YARA Rule

rule Mirai_SPARC_MSB : MALW
{
	meta:
		description = "Mirai Botnet TR-069 Worm - SPARC MSB" 
		author = "Felipe Molina / @felmoltor"
		date = "2016-12-04"
		version = "1.0" 
		MD5= "05891dbabc42a36f33c30535f0931555"
		SHA1 = "3d770480b6410cba39e19b3a2ff3bec774cabe47"
		ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"	
		ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759" 
		ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"

	strings:
		$miname = "Myname--is:"
		$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
		$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
		$procnet = "/proc/net/tcp"

	condition:
		( $miname and $iptables1 and $iptables2 and $procnet ) and 
		hash.sha1(0,filesize) == "3d770480b6410cba39e19b3a2ff3bec774cabe47"
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System administrator performing routine TR-069 device management via OpenWRT or DD-WRT firmware.
  Filter/Exclusion: Check for known admin IPs (e.g., internal management IPs) or filter by source IP in the rule.

• Scenario: Scheduled job running Ansible or Puppet to configure TR-069 devices for network monitoring or policy enforcement.
  Filter/Exclusion: Exclude traffic from known orchestration tools or filter based on job execution timestamps.

• Scenario: SNMP polling by a network monitoring tool like SolarWinds or Zabbix to collect device metrics from TR-069-enabled devices.
  Filter/Exclusion: Filter by SNMP community strings or exclude traffic from known monitoring tools.

• Scenario: Log aggregation using ELK Stack or Splunk that sends logs from TR-069 devices to a centralized log server.
  Filter/Exclusion: Exclude traffic from log aggregation tools or filter based on log source port or protocol.

• Scenario: Configuration backup via TFTP or SCP by a network automation tool like Cisco Prime or Infoblox.
  Filter/Exclusion: Exclude TFTP/SCP traffic from known backup tools or filter based on destination IP ranges used for backups.