Concrete signature match: Backdoor - Provides unauthorized remote access for Linux platform, family Mirai
This detection identifies Backdoor:Linux/Mirai.IK, a specific variant of the Mirai botnet designed to infect Linux systems, often IoT devices. It functions as a backdoor, enabling remote control and conscripting the compromised device into a botnet for launching Distributed Denial of Service (DDoS) attacks.
No specific strings found for this threat
rule Backdoor_Linux_Mirai_IK_2147910132_0
{
meta:
author = "threatcheck.sh"
detection_name = "Backdoor:Linux/Mirai.IK!MTB"
threat_id = "2147910132"
type = "Backdoor"
platform = "Linux: Linux platform"
family = "Mirai"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_ELFHSTR_EXT"
threshold = "2"
strings_accuracy = "High"
strings:
$x_1_1 = {7c 08 02 a6 94 21 ff f0 7c 64 1b 78 38 60 00 01 90 01 00 14 4c c6 31 82 48 00 03 25 80 01 00 14 38 21 00 10 7c 08 03 a6 4e 80 00 20} //weight: 1, accuracy: High
$x_1_2 = {94 21 ff e0 7c 08 02 a6 90 61 00 08 38 60 00 66 90 81 00 0c 38 80 00 03 90 a1 00 10 38 a1 00 08 90 01 00 24 4c c6 31 82 48 00 02 85 80 01 00 24 38 21 00 20 7c 08 03 a6 4e 80 00 20} //weight: 1, accuracy: High
condition:
(filesize < 20MB) and
(all of ($x*))
}7178c414b8909ab7903880a02b34fd604928ddeb95a69869aafa1e8f828088f0Immediately isolate the infected Linux system from the network. Change all default or weak credentials, ensure the operating system and firmware are fully patched, remove the detected malware, and implement robust network monitoring for any unusual activity or outbound connections.