From a364ab0cc7346b57431b1da17626b805b1e4c49a Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Sat, 27 Oct 2018 21:58:34 +0200
Subject: [PATCH] Updated Mirai rules

---
 yara/crime_mirai.yar | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/yara/crime_mirai.yar b/yara/crime_mirai.yar
index ddf6fc4..c2505ab 100644
--- a/yara/crime_mirai.yar
+++ b/yara/crime_mirai.yar
@@ -94,3 +94,39 @@ rule Miari_2_May17 {
    condition:
       ( uint16(0) == 0x457f and filesize < 5000KB and 2 of them )
 }
+
+rule MAL_ELF_LNX_Mirai_Oct10_1 {
+   meta:
+      description = "Detects ELF Mirai variant"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-10-27"
+      hash1 = "3be2d250a3922aa3f784e232ce13135f587ac713b55da72ef844d64a508ddcfe"
+   strings:
+      $x1 = " -r /vi/mips.bushido; "
+      $x2 = "/bin/busybox chmod 777 * /tmp/" fullword ascii
+
+      $s1 = "POST /ctrlt/DeviceUpgrade_1 HTTP/1.1" fullword ascii
+      $s2 = "loadURL>$(echo HUAWEIUPNP)</NewDownloadURL></u:Upgrade></s:Body></s:Envelope>" fullword ascii
+      $s3 = "POST /cdn-cgi/" fullword ascii
+   condition:
+      uint16(0) == 0x457f and filesize < 200KB and (
+         ( 1 of ($x*) and 1 of ($s*) ) or
+         all of ($x*)
+      )
+}
+
+rule MAL_ELF_LNX_Mirai_Oct10_2 {
+   meta:
+      description = "Detects ELF malware Mirai related"
+      author = "Florian Roth"
+      reference = "Internal Research"
+      date = "2018-10-27"
+      hash1 = "fa0018e75f503f9748a5de0d14d4358db234f65e28c31c8d5878cc58807081c9"
+   strings:
+      $c01 = { 50 4F 53 54 20 2F 63 64 6E 2D 63 67 69 2F 00 00
+               20 48 54 54 50 2F 31 2E 31 0D 0A 55 73 65 72 2D
+               41 67 65 6E 74 3A 20 00 0D 0A 48 6F 73 74 3A }
+   condition:
+      uint16(0) == 0x457f and filesize < 200KB and all of them
+}