Shun Morishita
Last known affiliation: Internet Initiative Japan Inc.
Bio: Shun Morishita is an analyst at Internet Initiative Japan Inc. (IIJ), a Japanese ISP. Since 2020, he has been analyzing security logs and malware. His primary focus is on analyzing IoT malware to mitigate DDoS attacks. During his studies at Yokohama National University, he conducted security research on IoT/Web honeypots.
Shun Morishita 🗣 | Satoshi Kobayashi | Eisei Hombu
Abstract (click to view)
In recent years, IoT malware frequently launches DDoS attacks, causing massive damage to ISPs. Since Mirai and its variants account for the vast majority of IoT malware, security researchers develop configuration extracting tools to understand its characteristics. However, Mirai is built on diverse architectures (e.g., ARM, MIPS, and PowerPC), developing tools is challenging. Indeed, existing tools only support one or two architectures.
In this study, we utilize Ghidra decompiler and intermediate representation P-Code to reduce architecture-dependent codes, and develop Mirai configuration extractor “mirai-toushi” that supported 8 architectures.
To evaluate mirai-toushi against real-world malwares, we applied mirai-toushi to 2,426 malwares collected in honeypot/IPS from March 2020 to March 2024. The existing tool extracted 673 tables containing data such as C2 server destinations and DoS parameters, while mirai-toushi extracted 1,743 tables. In addition, mirai-toushi extracted 1,641 password lists. The results show that mirai-toushi can extract Mirai configurations effectively. To be widely used by security researchers, we have made mirai-toushi publicly available on GitHub.
