Backdoor:Linux/Mirai.DB!MTB - Windows Defender Threat Analysis

This detection identifies a Linux binary as a variant of the Mirai botnet malware. The malware is designed to infect IoT and Linux devices, incorporating them into a botnet used to conduct large-scale Distributed Denial of Service (DDoS) attacks and terminate other processes on the compromised system.

No specific strings found for this threat

rule Backdoor_Linux_Mirai_DB_2147832483_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Backdoor:Linux/Mirai.DB!MTB"
        threat_id = "2147832483"
        type = "Backdoor"
        platform = "Linux: Linux platform"
        family = "Mirai"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
        threshold = "4"
        strings_accuracy = "High"
    strings:
        $x_1_1 = "attack_vector_udp" ascii //weight: 1
        $x_1_2 = "killer_pid" ascii //weight: 1
        $x_1_3 = "killer_kill_by_port" ascii //weight: 1
        $x_1_4 = "attack_kill_all" ascii //weight: 1
        $x_1_5 = "killer_realpath" ascii //weight: 1
        $x_1_6 = "attack_ongoing" ascii //weight: 1
        $x_1_7 = "init_killer" ascii //weight: 1
    condition:
        (filesize < 20MB) and
        (4 of ($x*))
}

Quarantine and delete the detected file using your security software. Isolate the host from the network and investigate the file's origin. Scan your network for other vulnerable Linux or IoT devices, immediately change any default credentials, and ensure all device firmware is up to date.