Skip to content

Instantly share code, notes, and snippets.

@dmknght
Last active August 18, 2021 00:59
Show Gist options
  • Save dmknght/0831db9160e64a188950c2795f8066e5 to your computer and use it in GitHub Desktop.
Save dmknght/0831db9160e64a188950c2795f8066e5 to your computer and use it in GitHub Desktop.
Real world challenge with Mirai and its variants

Sample to use https://github.com/MalwareSamples/Linux-Malware-Samples

Run ClamScan get list of Mirai samples: clamscan -i . | grep Mirai > mirai_list We can see 84 files were detected

$cat mirai_list  | wc -l
84

84 samples matched by 22 signatures

$cat mirai_list  | cut -d ":" -f 2 | sort | uniq | wc -l
22

So i wrote a script in Nim lang to compare hashes of sections. This script is created for fast work, no optimization for performance https://gist.github.com/dmknght/9ee5977729ed4f7e3ae3d3376441e22d. The script will not only get hashes of the files but also parses hashes in /usr/bin/ and saves in a text file as whitelisted hashes. So we can use hashes for yara rule and don't really care about false positives. Let's try with some random samples. I'm going to get the file list only for quick copy-paste $cat mirai_list | cut -d ":" -f 1 Run with 2 files

$./parse_hashes /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/0afd9f52ddada582d5f907e0a8620cbdbe74ea31cf775987a5675226c1b228c2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/135f766d84d2c5db45dbb56348b1f75797455f33e7243f9b79ea3fc6d7efdf8b
Found same hashes
MD5: f1d3ff8443297732862df21dc4e57262  Name: .eh_frame
MD5: f858d36231ba743ad8c898d86a67a864  Name: .ctors
MD5: f858d36231ba743ad8c898d86a67a864  Name: .dtors
MD5: 7dea362b3fac8e00956a4952a3d4f474  Name: .jcr
MD5: b748e0aa34cc3bb4dcf0f803be00e8ae  Name: .shstrtab
@["b748e0aa34cc3bb4dcf0f803be00e8ae"]

The last line, @["b748e0aa34cc3bb4dcf0f803be00e8ae"] means the hashes are not in whitelisted file. I should write a simple line to say that. But the script is not optimized ^^. Yara rule

import "elf"
import "hash"

rule Linux_Mirai_section_hash
{
  condition:
    uint32(0) == 0x464c457f and
    for any i in (0 .. elf.number_of_sections - 1): (
      hash.md5(elf.sections[i].offset, elf.sections[i].size) == "b748e0aa34cc3bb4dcf0f803be00e8ae"
    )
}

Run it $yara mirai.yar ~/Desktop/MalwareLab/Linux-Malware-Samples If we run $yara mirai.yar ~/Desktop/MalwareLab/Linux-Malware-Samples | wc -l, we can see 93 files matched. We can check ClamAV detections with the list. First, we must save it as a file: $yara mirai.yar ~/Desktop/MalwareLab/Linux-Malware-Samples | cut -d " " -f 2 > filelist. Then we use ClamAV to scan, ofc $clamscan --file-list filelist. 93 files matched. To save the result and analysis it, we must run $clamscan --file-list filelist --no-summary > result

$cat result | cut -d : -f 2 | sort | uniq
 Unix.Dropper.Mirai-7136029-0 FOUND
 Unix.Dropper.Mirai-7138855-0 FOUND
 Unix.Dropper.Mirai-7138865-0 FOUND
 Unix.Dropper.Mirai-7139229-0 FOUND
 Unix.Dropper.Mirai-7139232-0 FOUND
 Unix.Dropper.Mirai-7540662-0 FOUND
 Unix.Trojan.Gafgyt-6981154-0 FOUND
 Unix.Trojan.Gafgyt-7643791-0 FOUND
 Unix.Trojan.Mirai-5607483-0 FOUND
 Unix.Trojan.Mirai-7139482-0 FOUND
 Unix.Trojan.Mirai-9812559-0 FOUND
 Unix.Trojan.Tsunami-6981155-0 FOUND

We didn't just detect the Mirai but the other variants, Tsunami and Gafgyt as well.

$cat result | cut -d : -f 2 | sort | uniq | grep Mirai | wc -l
9

9 different Mirai variants, 2 Gafgypt variants and 1 Tsunami variant with only 1 section hash.

From first list of ClamScan, we can see there are 22 different signatures. We can match only 9 Mirai signatures.

$cat mirai_list  | cut -d ":" -f 2 | sort | uniq | wc -l
22

Let's try again. I'm parsing all signatures of Mirai that we matched with yara.

$cat clamresult  | cut -d : -f 2 | sort | uniq | grep Mirai | cut -d "-" -f 2
7136029
7138855
7138865
7139229
7139232
7540662
5607483
7139482
9812559

Now we try grep the list of Mirai without those signatures

$cat mirai_list |  grep -vE "7136029|7138855|7138865|7139229|7139232|7540662|5607483|7139482|9812559"
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a: Unix.Dropper.Mirai-7135987-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/341a49940749d5f07d32d1c8dfddf6388a11e45244cc54bc8768a8cd7f00b46a: Unix.Dropper.Mirai-7355719-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/3dcad97c6bc823158aa8de7ab177af8c430bb20acd1f9d4e12444c482d0edd1d: Unix.Dropper.Mirai-7135944-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/4399878ba5f43539860e9d3da2fdebd2d0ac4b1f9105f48bbcf8b147eb28597a: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/5a888ae2128e398b401d8ab8333f0fe125134892b667e1acd3dd3fee98f6ea3f: Unix.Trojan.Mirai-7100807-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/60a6d1e2ea4b57394628fd223d43398b2d0aeb02553658569d36642f29e2f54f: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/650971d785224bf9680dca1cc43ce5546a9afb78dcf6baf4944862816ab6f4f4: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/68c67c4e38c1b5a1a2897c5f6d25456e989f5a94c359137ea040e79ca4a588aa: Unix.Trojan.Mirai-7100807-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/7ad29695e333a311c59c9dda73adc6154b9739f4486b4ff889fc6e053aae0b2a: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/7b74d62b2eadf1f93cebae2a9557ad8515f27beff9f314dddbbc032333572cb3: Unix.Trojan.Mirai-7831435-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/7ef53aea7f4308b24db56737ae4ef9d188cdf947639bf078306da599990a2784: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/93952d715801eba4b1b346ac90dbd9ab1df809bec4d14607163c932f2260da73: Unix.Trojan.Mirai-7640640-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/94d57e96cb9ba8a0bc04293c5f63ed35e7347578eeec801be0cb554c86d0862e: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/9e35f0a9eef0b597432cb8a7dfbd7ce16f657e7a74c26f7a91d81b998d00b24d: Unix.Dropper.Mirai-7540654-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/9e88d9dea52edb9467022068c2d922bff17d39e652b98bc0f6b69e26485018c6: Unix.Dropper.Mirai-7135944-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/a2b457dbd760b46e90cdde8971361c5e0422c30ba85afa6564e273a9ad123803: Unix.Trojan.Mirai-7135916-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/a385b3b1ed6e0480aa495361ab5b5ed9448f52595b383f897dd0a56e7ab35496: Unix.Dropper.Mirai-7540654-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/aab526b32d703fd9273635393011a05c9c3f6204854367eb0eb80894bbcfdd42: Unix.Dropper.Mirai-7540609-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/b3367881b8d0dad2417ab30e2179cd089239821e3b85e0d5ca0e9081294898bf: Unix.Trojan.Mirai-7135916-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/d57c54d74ba0f94e37798d0ee3f81ebfd44aebd4004f7cd30d584243083e1e01: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/d8878a0593c1920571afaa2c024d8d4589f13b334c064200b35af0cff20de3e5: Unix.Trojan.Mirai-7135916-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/da7596a5308afddaa2197d62446761b9b437d423e57e7599a57d7ec65e342dce: Unix.Dropper.Mirai-7540610-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/dcd318efe5627e07a8eda9104ede1f510e43f5c0ae7f74d411137e1174f2844b: Unix.Dropper.Mirai-7135987-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/e44134bde0edb60f8a0d70a7205f73d1b30e59de49853e8beb58a98cb74a6a9c: Unix.Trojan.Mirai-7135937-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/e6995b5428e887d790c6b77b32fddc143658ce2125ba192e8255d1ab70db6cac: Unix.Trojan.Mirai-7100807-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/eb42df7bb9526ac524d62a52bde7290c9ca5a8f4bc693a698935ba990bfdcecb: Unix.Dropper.Mirai-7135944-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/ff2a39baf61e34f14f9c49c27faed07bdd431605b3c845ab82023c39589e6798: Unix.Dropper.Mirai-7135881-0 FOUND

27 files more. Test with 2 files at top of the list, we have no luck: No safe hashes (we are only having f858d36231ba743ad8c898d86a67a864 as same hash)

$./parse_hashes /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a  /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/3dcad97c6bc823158aa8de7ab177af8c430bb20acd1f9d4e12444c482d0edd1d
Found same hashes
MD5: f858d36231ba743ad8c898d86a67a864  Name: .ctors
MD5: f858d36231ba743ad8c898d86a67a864  Name: .dtors
No safe hashes

But i'm lucky

$./parse_hashes /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/9e35f0a9eef0b597432cb8a7dfbd7ce16f657e7a74c26f7a91d81b998d00b24d /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/a2b457dbd760b46e90cdde8971361c5e0422c30ba85afa6564e273a9ad123803
Found same hashes
MD5: f858d36231ba743ad8c898d86a67a864  Name: .ctors
MD5: f858d36231ba743ad8c898d86a67a864  Name: .dtors
MD5: 90d8eebc2a34162c49ec31cfc660cec1  Name: .shstrtab
@["90d8eebc2a34162c49ec31cfc660cec1"]

New rules

rule Linux_Mirai_section_hash_2
{
  condition:
    uint32(0) == 0x464c457f and
    for any i in (0 .. elf.number_of_sections - 1): (
      hash.md5(elf.sections[i].offset, elf.sections[i].size) == "90d8eebc2a34162c49ec31cfc660cec1"
    )
}

I'm saving new rule to different file to test scan

$yara mirai_2.yar  ~/Desktop/MalwareLab/Linux-Malware-Samples 
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/0e492a3be57312e9b53ea378fa09650191ddb4aee0eed96dfc71567863b500a8
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/341a49940749d5f07d32d1c8dfddf6388a11e45244cc54bc8768a8cd7f00b46a
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/5a888ae2128e398b401d8ab8333f0fe125134892b667e1acd3dd3fee98f6ea3f
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/68c67c4e38c1b5a1a2897c5f6d25456e989f5a94c359137ea040e79ca4a588aa
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/93952d715801eba4b1b346ac90dbd9ab1df809bec4d14607163c932f2260da73
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/9e35f0a9eef0b597432cb8a7dfbd7ce16f657e7a74c26f7a91d81b998d00b24d
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/a2b457dbd760b46e90cdde8971361c5e0422c30ba85afa6564e273a9ad123803
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/a385b3b1ed6e0480aa495361ab5b5ed9448f52595b383f897dd0a56e7ab35496
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/b3367881b8d0dad2417ab30e2179cd089239821e3b85e0d5ca0e9081294898bf
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/d3ed26b4935b05480504da6ee1949468f77b79ac58fe5c998d470313a07ceeca
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/d8878a0593c1920571afaa2c024d8d4589f13b334c064200b35af0cff20de3e5
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/dcd318efe5627e07a8eda9104ede1f510e43f5c0ae7f74d411137e1174f2844b
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/e44134bde0edb60f8a0d70a7205f73d1b30e59de49853e8beb58a98cb74a6a9c
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/e6995b5428e887d790c6b77b32fddc143658ce2125ba192e8255d1ab70db6cac
Linux_Mirai_section_hash_2 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/ff2a39baf61e34f14f9c49c27faed07bdd431605b3c845ab82023c39589e6798

Save to filelist2 and check with clamAV $yara mirai_2.yar ~/Desktop/MalwareLab/Linux-Malware-Samples | cut -d " " -f 2 > filelist2 2 files were not detected

$clamscan --file-list=filelist2
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/0e492a3be57312e9b53ea378fa09650191ddb4aee0eed96dfc71567863b500a8: OK
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/206ad8fec64661c1fed8f20f71523466d0ca4ed9c01d20bea128bfe317f4395a: Unix.Dropper.Mirai-7135987-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/341a49940749d5f07d32d1c8dfddf6388a11e45244cc54bc8768a8cd7f00b46a: Unix.Dropper.Mirai-7355719-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/5a888ae2128e398b401d8ab8333f0fe125134892b667e1acd3dd3fee98f6ea3f: Unix.Trojan.Mirai-7100807-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/68c67c4e38c1b5a1a2897c5f6d25456e989f5a94c359137ea040e79ca4a588aa: Unix.Trojan.Mirai-7100807-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/93952d715801eba4b1b346ac90dbd9ab1df809bec4d14607163c932f2260da73: Unix.Trojan.Mirai-7640640-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/9e35f0a9eef0b597432cb8a7dfbd7ce16f657e7a74c26f7a91d81b998d00b24d: Unix.Dropper.Mirai-7540654-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/a2b457dbd760b46e90cdde8971361c5e0422c30ba85afa6564e273a9ad123803: Unix.Trojan.Mirai-7135916-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/a385b3b1ed6e0480aa495361ab5b5ed9448f52595b383f897dd0a56e7ab35496: Unix.Dropper.Mirai-7540654-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/b3367881b8d0dad2417ab30e2179cd089239821e3b85e0d5ca0e9081294898bf: Unix.Trojan.Mirai-7135916-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/d3ed26b4935b05480504da6ee1949468f77b79ac58fe5c998d470313a07ceeca: OK
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/d8878a0593c1920571afaa2c024d8d4589f13b334c064200b35af0cff20de3e5: Unix.Trojan.Mirai-7135916-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/dcd318efe5627e07a8eda9104ede1f510e43f5c0ae7f74d411137e1174f2844b: Unix.Dropper.Mirai-7135987-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/e44134bde0edb60f8a0d70a7205f73d1b30e59de49853e8beb58a98cb74a6a9c: Unix.Trojan.Mirai-7135937-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/e6995b5428e887d790c6b77b32fddc143658ce2125ba192e8255d1ab70db6cac: Unix.Trojan.Mirai-7100807-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/ff2a39baf61e34f14f9c49c27faed07bdd431605b3c845ab82023c39589e6798: Unix.Dropper.Mirai-7135881-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8560744
Engine version: 0.103.3
Scanned directories: 0
Scanned files: 16
Infected files: 14
Data scanned: 0.89 MB
Data read: 0.89 MB (ratio 1.00:1)
Time: 11.025 sec (0 m 11 s)
Start Date: 2021:08:18 07:40:59
End Date:   2021:08:18 07:41:10

We are having other 8 Mirai signatures for just 1 hash of ELF section

 Unix.Dropper.Mirai-7135881-0 FOUND
 Unix.Dropper.Mirai-7135987-0 FOUND
 Unix.Dropper.Mirai-7355719-0 FOUND
 Unix.Dropper.Mirai-7540654-0 FOUND
 Unix.Trojan.Mirai-7100807-0 FOUND
 Unix.Trojan.Mirai-7135916-0 FOUND
 Unix.Trojan.Mirai-7135937-0 FOUND
 Unix.Trojan.Mirai-7640640-0 FOUND

Keep filtering, we have 13 files remmaining

$cat mirai_list |  grep -vE "7136029|7138855|7138865|7139229|7139232|7540662|5607483|7139482|9812559|7135881|7135987|7355719|7540654|7100807|7135916|7135937|7640640" | cut -d ":" -f 1
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/3dcad97c6bc823158aa8de7ab177af8c430bb20acd1f9d4e12444c482d0edd1d
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/4399878ba5f43539860e9d3da2fdebd2d0ac4b1f9105f48bbcf8b147eb28597a
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/60a6d1e2ea4b57394628fd223d43398b2d0aeb02553658569d36642f29e2f54f
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/650971d785224bf9680dca1cc43ce5546a9afb78dcf6baf4944862816ab6f4f4
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/7ad29695e333a311c59c9dda73adc6154b9739f4486b4ff889fc6e053aae0b2a
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/7b74d62b2eadf1f93cebae2a9557ad8515f27beff9f314dddbbc032333572cb3
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/7ef53aea7f4308b24db56737ae4ef9d188cdf947639bf078306da599990a2784
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/94d57e96cb9ba8a0bc04293c5f63ed35e7347578eeec801be0cb554c86d0862e
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/9e88d9dea52edb9467022068c2d922bff17d39e652b98bc0f6b69e26485018c6
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/aab526b32d703fd9273635393011a05c9c3f6204854367eb0eb80894bbcfdd42
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/d57c54d74ba0f94e37798d0ee3f81ebfd44aebd4004f7cd30d584243083e1e01
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/da7596a5308afddaa2197d62446761b9b437d423e57e7599a57d7ec65e342dce
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/eb42df7bb9526ac524d62a52bde7290c9ca5a8f4bc693a698935ba990bfdcecb

Keep testing luck

$./parse_hashes /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/d57c54d74ba0f94e37798d0ee3f81ebfd44aebd4004f7cd30d584243083e1e01 /home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/da7596a5308afddaa2197d62446761b9b437d423e57e7599a57d7ec65e342dce
Found same hashes
MD5: 68dd3bd106aab3e99d9a65e4f9bfa7f1  Name: .note.gnu.property
MD5: f858d36231ba743ad8c898d86a67a864  Name: .ctors
MD5: f858d36231ba743ad8c898d86a67a864  Name: .dtors
MD5: a4b1a9d3f3622ccb54e615de8005f87f  Name: .shstrtab
@["68dd3bd106aab3e99d9a65e4f9bfa7f1", "a4b1a9d3f3622ccb54e615de8005f87f"]

New rule

import "elf"
import "hash"

rule Linux_Mirai_section_hash_3
{
  condition:
    uint32(0) == 0x464c457f and
    for any i in (0 .. elf.number_of_sections - 1): (
      hash.md5(elf.sections[i].offset, elf.sections[i].size) == "68dd3bd106aab3e99d9a65e4f9bfa7f1" or
      hash.md5(elf.sections[i].offset, elf.sections[i].size) == "a4b1a9d3f3622ccb54e615de8005f87f"
    )
}

Keep comparing ClamAV and yara $yara mirai_3.yar ~/Desktop/MalwareLab/Linux-Malware-Samples | cut -d " " -f 2 > filelist3 $clamscan --file-list=filelist3 --no-summary > result3

$cat result3 
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/1794cf09f4ea698759b294e27412aa09eda0860475cd67ce7b23665ea6c5d58b: Unix.Trojan.Gafgyt-9821959-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/1822454a2f12fae1725ef96e588e6fa2eeab58a8043e9a56ac328c14100ba937: OK
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/1b5bd0d4989c245af027f6bc0c331417f81a87fff757e19cdbdfe25340be01a6: Unix.Trojan.Gafgyt-9821959-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/4399878ba5f43539860e9d3da2fdebd2d0ac4b1f9105f48bbcf8b147eb28597a: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/60a6d1e2ea4b57394628fd223d43398b2d0aeb02553658569d36642f29e2f54f: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/650971d785224bf9680dca1cc43ce5546a9afb78dcf6baf4944862816ab6f4f4: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/7ad29695e333a311c59c9dda73adc6154b9739f4486b4ff889fc6e053aae0b2a: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/7ef53aea7f4308b24db56737ae4ef9d188cdf947639bf078306da599990a2784: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/94d57e96cb9ba8a0bc04293c5f63ed35e7347578eeec801be0cb554c86d0862e: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/aab526b32d703fd9273635393011a05c9c3f6204854367eb0eb80894bbcfdd42: Unix.Dropper.Mirai-7540609-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/b086aa8017a7966f38c8dbed3268b4de938bbba1ce7317d99fc47ccb7c191965: OK
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/d57c54d74ba0f94e37798d0ee3f81ebfd44aebd4004f7cd30d584243083e1e01: Unix.Dropper.Mirai-7540608-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/da7596a5308afddaa2197d62446761b9b437d423e57e7599a57d7ec65e342dce: Unix.Dropper.Mirai-7540610-0 FOUND
/home/dmknght/Desktop/MalwareLab/Linux-Malware-Samples/eb67c56ec169940481e075a6b638d5f16e324aef6c2afcb8c4491b7ec1ed0058: Unix.Trojan.Gafgyt-9821959-0 FOUND

2 other files were not detected by Clam, 3 other Mirai variants, 1 other Gafgypt variant (previous was Unix.Trojan.Gafgyt-6981154-0)

$cat result3 | grep Mirai | cut -d ":" -f 2 | sort | uniq | wc -l
3

=> Section hashing works for Malwares out there. With the result, we can say this method helps detect some new variants, increase performance (hashing vs aho corrasick whole files, c'on), and reduce size of database. However, it can be bypassed easily and there are variants must use string based detection.

Final yara rule.

import "elf"
import "hash"

rule Linux_Mirai_section_hash
{
  condition:
    uint32(0) == 0x464c457f and
    for any i in (0 .. elf.number_of_sections - 1): (
      hash.md5(elf.sections[i].offset, elf.sections[i].size) == "b748e0aa34cc3bb4dcf0f803be00e8ae"
    )
}

rule Linux_Mirai_section_hash_2
{
  condition:
    uint32(0) == 0x464c457f and
    for any i in (0 .. elf.number_of_sections - 1): (
      hash.md5(elf.sections[i].offset, elf.sections[i].size) == "90d8eebc2a34162c49ec31cfc660cec1"
    )
}

rule Linux_Mirai_section_hash_3
{
  condition:
    uint32(0) == 0x464c457f and
    for any i in (0 .. elf.number_of_sections - 1): (
      hash.md5(elf.sections[i].offset, elf.sections[i].size) == "68dd3bd106aab3e99d9a65e4f9bfa7f1" or
      hash.md5(elf.sections[i].offset, elf.sections[i].size) == "a4b1a9d3f3622ccb54e615de8005f87f"
    )
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment