Updated Mirai rules

2024-11-06 18:15:20 +00:00 · 2018-10-27 21:58:34 +02:00 · 2018-10-27 21:58:34 +02:00 · a364ab0cc7
commit a364ab0cc7
parent d31dd04b58
1 changed files with 36 additions and 0 deletions
--- a/yara/crime_mirai.yar
+++ b/yara/crime_mirai.yar
@ -94,3 +94,39 @@ rule Miari_2_May17 {
   condition:
      ( uint16(0) == 0x457f and filesize < 5000KB and 2 of them )
 }
+
+rule MAL_ELF_LNX_Mirai_Oct10_1 {
+   meta:
+      description = "Detects ELF Mirai variant"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-10-27"
+      hash1 = "3be2d250a3922aa3f784e232ce13135f587ac713b55da72ef844d64a508ddcfe"
+   strings:
+      $x1 = " -r /vi/mips.bushido; "
+      $x2 = "/bin/busybox chmod 777 * /tmp/" fullword ascii
+
+      $s1 = "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1" fullword ascii
+      $s2 = "loadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>" fullword ascii
+      $s3 = "POST /cdn-cgi/" fullword ascii
+   condition:
+      uint16(0) == 0x457f and filesize < 200KB and (
+         ( 1 of ($x*) and 1 of ($s*) ) or
+         all of ($x*)
+      )
+}
+
+rule MAL_ELF_LNX_Mirai_Oct10_2 {
+   meta:
+      description = "Detects ELF malware Mirai related"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-10-27"
+      hash1 = "fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9"
+   strings:
+      $c01 = { 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00
+               20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D
+               41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A }
+   condition:
+      uint16(0) == 0x457f and filesize < 200KB and all of them
+}