elf.mirai (Back to overview)

Mirai

URLhaus        

Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.

References
2019-10-02 ⋅ Politie NLPolitie NL
@online{nl:20191002:servers:08fffed, author = {Politie NL}, title = {{Servers botnet offline}}, date = {2019-10-02}, organization = {Politie NL}, url = {https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html}, language = {English}, urldate = {2020-01-08} } Servers botnet offline
Mirai
2019-09-10 ⋅ ReversingLabsJosip Milić
@online{mili:20190910:mirai:906e0a9, author = {Josip Milić}, title = {{Mirai Botnet Continues to Plague IoT Space}}, date = {2019-09-10}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space}, language = {English}, urldate = {2020-01-13} } Mirai Botnet Continues to Plague IoT Space
Mirai
2019-04-12 ⋅ Stratosphere LabMaría José Erquiaga
@online{erquiaga:20190412:analysis:bb76a6f, author = {María José Erquiaga}, title = {{Analysis of an IRC based Botnet}}, date = {2019-04-12}, organization = {Stratosphere Lab}, url = {https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet}, language = {English}, urldate = {2020-01-10} } Analysis of an IRC based Botnet
Mirai
2019-04-08 ⋅ Palo Alto Networks Unit 42Ruchna Nigam
@online{nigam:20190408:mirai:b25b562, author = {Ruchna Nigam}, title = {{Mirai Compiled for New Processors Surfaces in the Wild}}, date = {2019-04-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/}, language = {English}, urldate = {2019-11-26} } Mirai Compiled for New Processors Surfaces in the Wild
Mirai
2018-12-20 ⋅ Trend MicroAugusto Remillano II, Mark Vicente
@online{ii:20181220:with:8e827ba, author = {Augusto Remillano II and Mark Vicente}, title = {{With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit}}, date = {2018-12-20}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/}, language = {English}, urldate = {2019-11-29} } With Mirai Comes Miori: IoT Botnet Delivered via ThinkPHP Remote Code Execution Exploit
Mirai
2018-07-20 ⋅ Palo Alto Networks Unit 42Ruchna Nigam
@online{nigam:20180720:unit:e044686, author = {Ruchna Nigam}, title = {{Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns}}, date = {2018-07-20}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/}, language = {English}, urldate = {2019-12-20} } Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns
Hakai Mirai
2017-12-13 ⋅ KrebsOnSecurityBrian Krebs
@online{krebs:20171213:mirai:bd2cb74, author = {Brian Krebs}, title = {{Mirai IoT Botnet Co-Authors Plead Guilty}}, date = {2017-12-13}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/}, language = {English}, urldate = {2020-01-08} } Mirai IoT Botnet Co-Authors Plead Guilty
Mirai
2017-11-24 ⋅ Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20171124:mirai:ea4773e, author = {Catalin Cimpanu}, title = {{Mirai Activity Picks up Once More After Publication of PoC Exploit Code}}, date = {2017-11-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/}, language = {English}, urldate = {2019-12-20} } Mirai Activity Picks up Once More After Publication of PoC Exploit Code
Mirai
2017-07-15 ⋅ Github (jgamblin)Jerry Gamblin
@online{gamblin:20170715:mirai:72ffffb, author = {Jerry Gamblin}, title = {{Mirai BotNet Source Code}}, date = {2017-07-15}, organization = {Github (jgamblin)}, url = {https://github.com/jgamblin/Mirai-Source-Code}, language = {English}, urldate = {2019-12-17} } Mirai BotNet Source Code
Mirai
2016-10-27 ⋅ Simon Roses Femerling BlogSimon Roses
@online{roses:20161027:mirai:01bd756, author = {Simon Roses}, title = {{Mirai DDoS Botnet: Source Code & Binary Analysis}}, date = {2016-10-27}, organization = {Simon Roses Femerling Blog}, url = {http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/}, language = {English}, urldate = {2020-01-07} } Mirai DDoS Botnet: Source Code & Binary Analysis
Mirai
2016-10-01 ⋅ KrebsOnSecurityBrian Krebs
@online{krebs:20161001:source:796f0bc, author = {Brian Krebs}, title = {{Source Code for IoT Botnet ‘Mirai’ Released}}, date = {2016-10-01}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/}, language = {English}, urldate = {2019-07-10} } Source Code for IoT Botnet ‘Mirai’ Released
Mirai
2016-05-02 ⋅ John BambenekJohn Bambenek
@online{bambenek:20160502:osint:54b6791, author = {John Bambenek}, title = {{OSINT Feed}}, date = {2016-05-02}, organization = {John Bambenek}, url = {http://osint.bambenekconsulting.com/feeds/}, language = {English}, urldate = {2020-01-06} } OSINT Feed
Mirai Banjori
Yara Rules
[TLP:WHITE] elf_mirai_auto (20190204 | autogenerated rule brought to you by yara-signator)
rule elf_mirai_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2019-11-26"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai"
        malpedia_version = "20190204"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 66894304 7406 66c743064000 c643092f }
            // n = 4, score = 300
            //   66894304             | mov                 word ptr [ebx + 4], ax
            //   7406                 | je                  8
            //   66c743064000         | mov                 word ptr [ebx + 6], 0x40
            //   c643092f             | mov                 byte ptr [ebx + 9], 0x2f

        $sequence_1 = { c1e004 8b1408 895310 8b54080c 66895314 }
            // n = 5, score = 300
            //   c1e004               | shl                 eax, 4
            //   8b1408               | mov                 edx, dword ptr [eax + ecx]
            //   895310               | mov                 dword ptr [ebx + 0x10], edx
            //   8b54080c             | mov                 edx, dword ptr [eax + ecx + 0xc]
            //   66895314             | mov                 word ptr [ebx + 0x14], dx

        $sequence_2 = { c1ea03 89d0 c1e005 01d0 }
            // n = 4, score = 300
            //   c1ea03               | shr                 edx, 3
            //   89d0                 | mov                 eax, edx
            //   c1e005               | shl                 eax, 5
            //   01d0                 | add                 eax, edx

        $sequence_3 = { c1e004 8b1408 895310 8b54080c }
            // n = 4, score = 300
            //   c1e004               | shl                 eax, 4
            //   8b1408               | mov                 edx, dword ptr [eax + ecx]
            //   895310               | mov                 dword ptr [ebx + 0x10], edx
            //   8b54080c             | mov                 edx, dword ptr [eax + ecx + 0xc]

        $sequence_4 = { e8???????? c7433400000000 894330 c6433801 c6433903 c6433a03 c6433b06 }
            // n = 7, score = 300
            //   e8????????           |                     
            //   c7433400000000       | mov                 dword ptr [ebx + 0x34], 0
            //   894330               | mov                 dword ptr [ebx + 0x30], eax
            //   c6433801             | mov                 byte ptr [ebx + 0x38], 1
            //   c6433903             | mov                 byte ptr [ebx + 0x39], 3
            //   c6433a03             | mov                 byte ptr [ebx + 0x3a], 3
            //   c6433b06             | mov                 byte ptr [ebx + 0x3b], 6

        $sequence_5 = { e8???????? c7433400000000 894330 c6433801 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   c7433400000000       | mov                 dword ptr [ebx + 0x34], 0
            //   894330               | mov                 dword ptr [ebx + 0x30], eax
            //   c6433801             | mov                 byte ptr [ebx + 0x38], 1

        $sequence_6 = { 6689432a e8???????? c7433400000000 894330 }
            // n = 4, score = 300
            //   6689432a             | mov                 word ptr [ebx + 0x2a], ax
            //   e8????????           |                     
            //   c7433400000000       | mov                 dword ptr [ebx + 0x34], 0
            //   894330               | mov                 dword ptr [ebx + 0x30], eax

        $sequence_7 = { 85ed e9???????? 8b5810 e8???????? }
            // n = 4, score = 300
            //   85ed                 | test                ebp, ebp
            //   e9????????           |                     
            //   8b5810               | mov                 ebx, dword ptr [eax + 0x10]
            //   e8????????           |                     

        $sequence_8 = { 3c19 7705 8d42e0 8801 }
            // n = 4, score = 300
            //   3c19                 | cmp                 al, 0x19
            //   7705                 | ja                  7
            //   8d42e0               | lea                 eax, [edx - 0x20]
            //   8801                 | mov                 byte ptr [ecx], al

        $sequence_9 = { 6689432a e8???????? c7433400000000 894330 c6433801 }
            // n = 5, score = 300
            //   6689432a             | mov                 word ptr [ebx + 0x2a], ax
            //   e8????????           |                     
            //   c7433400000000       | mov                 dword ptr [ebx + 0x34], 0
            //   894330               | mov                 dword ptr [ebx + 0x30], eax
            //   c6433801             | mov                 byte ptr [ebx + 0x38], 1

    condition:
        7 of them
}
Download all Yara Rules