Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This detection identifies a Linux-based Mirai botnet variant, 'Mirai.HD,' acting as a backdoor. Mirai is a notorious malware that infects IoT devices to launch large-scale distributed denial-of-service (DDoS) attacks. This specific detection was made through concrete machine learning behavioral analysis.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_HD_2147906813_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.HD!MTB"
threat_id = "2147906813"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "Low"
strings:
$x_1_1 = {04 10 a0 e1 80 20 a0 e3 05 00 a0 e1 9b ff ff eb 00 20 50 e2 04 10 a0 e1 07 00 a0 e1 01 ?? ?? ?? 8b ff ff eb f5 ?? ?? ?? 05 00 a0 e1 69 ff ff eb 07 00 a0 e1 67 ff ff eb 3c 10 9f e5 04 20 a0 e3 01 00 a0 e3 82 ff ff eb 05 00 a0 e3 59 ff ff eb 98 d0 8d e2 f0 41 bd e8} //weight: 1, accuracy: Low
$x_1_2 = {20 21 9f e5 20 01 9f e5 aa ff ff eb 01 10 a0 e3 00 70 a0 e1 06 20 a0 e1 02 00 a0 e3 d2 ff ff eb 01 00 70 e3 01 00 77 13 00 50 a0 e1 01 00 a0 03 ?? ff ff 0b 05 00 a0 e1 84 10 8d e2 10 20 a0 e3 a7 ff ff eb 00 40 50 e2 05 ?? ?? ?? 01 00 a0 e3 d8 10 9f e5 04 20 a0 e3} //weight: 1, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}26c766a410eb8a03a90c3db7eb6508bb4ab5d215d5735de387e1566c5480d32a1c513038cf0e06e20aeac63558954efecba1b400564ea35cb1a14b68087c0051429fa603e41e304fb6abce2cea372e692649dea1033bd2731c35ada775b920c9Immediately isolate the infected Linux device from the network. Conduct a full system scan with updated security software and remove all detected malicious files. Patch any known vulnerabilities on the device, change default or weak credentials, and harden network configurations by blocking unnecessary inbound/outbound connections and disabling unneeded services. Implement continuous security monitoring to prevent re-infection.