Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
R
rules
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
rules
Commits
80846e33
Commit
80846e33
authored
Dec 07, 2016
by
mmorenog
Committed by
GitHub
Dec 07, 2016
Browse files
Options
Browse Files
Download
Plain Diff
Merge pull request #187 from felmoltor/master
Add Mirai TR-069 Worm signatures
parents
6bf9a66c
7c0c7683
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
167 additions
and
0 deletions
+167
-0
MALW_Mirai.yar
malware/MALW_Mirai.yar
+167
-0
No files found.
malware/MALW_Mirai.yar
0 → 100644
View file @
80846e33
import "hash"
import "pe"
rule Mirai_Generic_Arch : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - Generic Architecture"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
$miname and $iptables1 and $iptables2 and $procnet
}
rule Mirai_MIPS_LSB : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - MIPS LSB"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
MD5 = "bf650d39eb603d92973052ca80a4fdda"
SHA1 = "03ecd3b49aa19589599c64e4e7a51206a592b4ef"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
$miname and $iptables1 and $iptables2 and $procnet and
hash.sha1(0,filesize) == "03ecd3b49aa19589599c64e4e7a51206a592b4ef"
}
rule Mirai_MIPS_MSB : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - MIPS MSB"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
MD5 = "0eb51d584712485300ad8e8126773941"
SHA1 = "18bce2f0107b5fab1b0b7c453e2a6b6505200cbd"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
$miname and $iptables1 and $iptables2 and $procnet and
hash.sha1(0,filesize) == "18bce2f0107b5fab1b0b7c453e2a6b6505200cbd"
}
rule Mirai_ARM_LSB : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - ARM LSB"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
MD5= "eba670256b816e2d11f107f629d08494"
SHA1 = "8a25dee4ea7d61692b2b95bd047269543aaf0c81"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
$miname and $iptables1 and $iptables2 and $procnet and
hash.sha1(0,filesize) == "8a25dee4ea7d61692b2b95bd047269543aaf0c81"
}
rule Mirai_Renesas_SH : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - Renesas SH LSB"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
MD5 = "863dcf82883c885b0686dce747dcf502"
SHA1 = "bdc86295fad70480f0c6edcc37981e3cf11d838c"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
$miname and $iptables1 and $iptables2 and $procnet and
hash.sha1(0,filesize) == "bdc86295fad70480f0c6edcc37981e3cf11d838c"
}
rule Mirai_PPC_Cisco : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - PowerPC or Cisco 4500"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
MD5= "dbd92b08cbff8455ff76c453ff704dc6"
SHA1 = "6933d555a008a07b859a55cddb704441915adf68"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
( $miname and $iptables1 and $iptables2 and $procnet ) and
hash.sha1(0,filesize) == "6933d555a008a07b859a55cddb704441915adf68"
}
rule Mirai_SPARC_MSB : MALW
{
meta:
description = "Mirai Botnet TR-069 Worm - SPARC MSB"
author = "Felipe Molina / @felmoltor"
date = "2016-12-04"
version = "1.0"
MD5= "05891dbabc42a36f33c30535f0931555"
SHA1 = "3d770480b6410cba39e19b3a2ff3bec774cabe47"
ref1 = "http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/"
ref2 = "https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759"
ref3 = "https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/"
strings:
$miname = "Myname--is:"
$iptables1 = "busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP"
$iptables2 = "busybox iptables -A INPUT -p tcp --destination-port 5555 -j DROP"
$procnet = "/proc/net/tcp"
condition:
( $miname and $iptables1 and $iptables2 and $procnet ) and
hash.sha1(0,filesize) == "3d770480b6410cba39e19b3a2ff3bec774cabe47"
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
