Satoshi Kobayashi
Last known affiliation: Internet Initiative Japan Inc.
Bio: Satoshi Kobayashi is an analyst at Internet Initiative Japan Inc. (IIJ), a Japanese ISP. Since 2017, he has been analyzing security logs and building machine learning systems. His primary focus is on applying statistical methods and machine learning techniques to design advanced security systems. Prior to his current role, he worked as a software engineer, engaging in the development of network and cloud technologies.
Shun Morishita 🗣 | Satoshi Kobayashi | Eisei Hombu
Abstract (click to view)
In recent years, IoT malware frequently launches DDoS attacks, causing massive damage to ISPs. Since Mirai and its variants account for the vast majority of IoT malware, security researchers develop configuration extracting tools to understand its characteristics. However, Mirai is built on diverse architectures (e.g., ARM, MIPS, and PowerPC), developing tools is challenging. Indeed, existing tools only support one or two architectures.
In this study, we utilize Ghidra decompiler and intermediate representation P-Code to reduce architecture-dependent codes, and develop Mirai configuration extractor “mirai-toushi” that supported 8 architectures.
To evaluate mirai-toushi against real-world malwares, we applied mirai-toushi to 2,426 malwares collected in honeypot/IPS from March 2020 to March 2024. The existing tool extracted 673 tables containing data such as C2 server destinations and DoS parameters, while mirai-toushi extracted 1,743 tables. In addition, mirai-toushi extracted 1,641 password lists. The results show that mirai-toushi can extract Mirai configurations effectively. To be widely used by security researchers, we have made mirai-toushi publicly available on GitHub.
