Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This detection identifies a backdoor associated with the Mirai botnet, a threat targeting Linux-based Internet of Things (IoT) devices. Once infected, the device is controlled by an attacker and used to participate in large-scale Distributed Denial of Service (DDoS) attacks. The '!MTB' suffix indicates this detection is based on machine learning behavioral analysis.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_GN_2147906385_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.GN!MTB"
threat_id = "2147906385"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {e6 2f 22 4f 07 d0 f4 7f f3 6e 42 2e 51 1e 66 e4 62 1e 03 e5 0b 40 e3 66 0c 7e e3 6f 26 4f f6 6e} //weight: 1, accuracy: High
$x_1_2 = {53 61 63 67 13 66 04 d1 e6 2f 43 65 f3 6e 04 e4 e3 6f f6 6e} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}09b4c90f5b3e7a45cae95bba99cdd6d44d10db494b38bead1c47cedeb71850f2Isolate the compromised Linux device from the network immediately. Re-flash the device with a known-good firmware image from the manufacturer and change all default credentials to strong, unique passwords to prevent reinfection.