Vol. 10 No. 1 (2025): Proceedings of Botconf 2025
Conference proceedings

mirai-toushi: Cross-Architecture Mirai Configuration Extractor Utilizing Standalone Ghidra Script

PDF
  • Shun Morishita,
  • Satoshi Kobayashi,
  • Eisei Hombu
Shun Morishita
IIJ
Satoshi Kobayashi
IIJ
Eisei Hombu
IIJ

Published 2025-06-05

Keywords

  • Botnet,
  • Malware,
  • IoT

Copyright (c) 2025 Shun Morishita (Author)

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

Morishita, S., Kobayashi, S. ., & Hombu, E. (2025). mirai-toushi: Cross-Architecture Mirai Configuration Extractor Utilizing Standalone Ghidra Script. The Journal on Cybercrime and Digital Investigations, 10(1), 1-11. https://doi.org/10.18464/cybin.v10i1.56

Download Citation

Abstract

In recent years, IoT malware frequently launches DDoS attacks, causing massive damage to ISPs. Since Mirai and its variants account for the vast majority of IoT malware, security researchers develop configuration extracting tools to understand its characteristics. However, Mirai is built on diverse architectures (e.g., ARM, MIPS, and PowerPC), developing tools is challenging. Indeed, existing tools only support 1 or 2 architectures.

In this study, we utilize Ghidra decompiler and intermediate representation P-Code to reduce architecture-dependent codes, and develop Mirai configuration extractor "mirai-toushi" that supported 8 architectures.

To evaluate mirai-toushi against real-world malware, we applied mirai-toushi to 2,426 samples collected in honeypot/IPS from March 2020 to March 2024. The existing tool extracted 673 tables containing data such as C2 server destinations and DoS parameters, while mirai-toushi extracted 1,743 tables. In addition, mirai-toushi extracted 1,641 password lists. The results show that mirai-toushi can extract Mirai configurations effectively. To be widely used by security researchers, we have made mirai-toushi publicly available on GitHub.

PDF

References

  1. T. Micro, “Iot botnet linked to large-scale ddos attacks since the end of 2024.” https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-attacks.html. last accessed 2025/04/02.
  2. Q.-D. Ngo, H.-T. Nguyen, V.-H. Le, and D.-H. Nguyen, “A survey of iot malware and detection methods based on static features,” ICT express, vol. 6, no. 4, pp. 280–286, 2020.
  3. R. Tanabe, T. Tamai, A. Fujita, R. Isawa, K. Yoshioka, T. Matsumoto, C. Gañán, and M. Van Eeten, “Disposable botnets: examining the anatomy of iot botnet infrastructure,” in Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–10, 2020.
  4. JPCERTCC, “Malconfscan.” https://github.com/JPCERTCC/MalConfScan. last accessed 2025/04/02.
  5. kevoreilly, “Capev2.” https://github.com/kevoreilly/CAPEv2. last accessed 2025/04/02.
  6. c3rb3ru5d3d53c, “mwcfg.” https://github.com/c3rb3ru5d3d53c/mwcfg. last accessed 2025/04/02.
  7. M. Saito and T. Kobayashi, “Mitf honeypot support for iot devices,” Internet Infrastructure Review (IIR), vol. 36, pp. 10–15, 2017.
  8. Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow, “Iotpot: analysing the rise of iot compromises,” in 9th USENIX Workshop on Offensive Technologies (WOOT 15), 2015.
  9. Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow, “Iotpot: A novel honeypot for revealing current iot threats,” Journal of Information Processing, vol. 24, no. 3, pp. 522–533, 2016.
  10. abuse.ch, “Malwarebazaar - user elfdigest.” https://bazaar.abuse.ch/user/5877/. last accessed 2025/04/02.
  11. 0xd3xt3r, “decrypting-mirai-configurationwith-radare2.” https://github.com/0xd3xt3r/blog-code/blob/master/decrypting-mirai-configuration-with-radare2. last accessed 2025/04/02.
  12. mrphrazer, “mirai_string_deobfuscation.” https://github.com/mrphrazer/mirai_string_deobfuscation. last accessed 2025/04/02.
  13. FernandoDoming, “miraicfg.” https://github.com/FernandoDoming/miraicfg. last accessed 2025/04/02.
  14. N. S. Agency, “Ghidra.” https://ghidra-sre.org/. last accessed 2025/04/02.
  15. IIJ, “mirai-toushi.” https://github.com/iij/mirai-toushi. last accessed 2025/04/02.
  16. M. De Donno, N. Dragoni, A. Giaretta, and A. Spognardi, “Ddos-capable iot malwares: comparative analysis and mirai investigation,” Security and Communication Networks, vol. 2018, no. 1, p. 7178164, 2018.
  17. R. Vishwakarma and A. K. Jain, “A survey of ddos attacking techniques and defence mechanisms in the iot network,” Telecommunication systems, vol. 73, no. 1, pp. 3–25, 2020.
  18. A. Davanian, A. Darki, and M. Faloutsos, “Cnchunter: An mitm-approach to identify live cnc servers,” Black Hat USA, 2021.
  19. A. Davanian and M. Faloutsos, “Malnet: A binarycentric network-level profiling of iot malware,” in Proceedings of the 22nd ACM Internet Measurement Conference, pp. 472–487, 2022.
  20. A. Davanian, M. Faloutsos, and M. Lindorfer, “C2miner: Tricking iot malware into revealing live command & control servers,” in Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, pp. 112–127, 2024.
  21. S. Torabi, E. Bou-Harb, C. Assi, E. B. Karbab, A. Boukhtouta, and M. Debbabi, “Inferring and investigating iot-generated scanning campaigns targeting a large network telescope,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 1, pp. 402–418, 2020.
  22. A. A. Al Alsadi, K. Sameshima, J. Bleier, K. Yoshioka, M. Lindorfer, M. Van Eeten, and C. H. Gañán, “No spring chicken: quantifying the lifespan of exploits in iot malware using static and dynamic analysis,” in Proceedings of the 2022 ACM on Asia conference on computer and communications security, pp. 309–321, 2022.
  23. A. A. Al Alsadi, K. Sameshima, K. Yoshioka, M. Van Eeten, and C. H. Gañán, “Bin there, target that: Analyzing the target selection of iot vulnerabilities in malware binaries,” in Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, pp. 513–526, 2023.
  24. M. Wang, J. Santillan, and F. Kuipers, “Thingpot: an interactive internet-of-things honeypot,” arXiv preprint arXiv:1807.04114, 2018.
  25. S. Kato, R. Tanabe, K. Yoshioka, and T. Matsumoto, “Adaptive observation of emerging cyber attacks targeting various iot devices,” in 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 143–151, IEEE, 2021.
  26. D. Uhrıcek, “Lisa–multiplatform linux sandbox for analyzing iot malware,” 2020.
  27. A. Darki and M. Faloutsos, “Riotman: a systematic analysis of iot malware behavior,” in Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies, pp. 169–182, 2020.
  28. F. Bellard, “Qemu, a fast and portable dynamic translator.,” in USENIX annual technical conference, FREENIX Track, vol. 41, pp. 10–5555, California, USA, 2005.
  29. T. Q. P. Developers, “Qemu.” https://www.qemu.org/. last accessed 2025/04/02.
  30. Q. F. project, “Qiling framework.” https://qiling.io/. last accessed 2025/04/02.
  31. GDATAAdvancedAnalytics, “Qiliot.” https://github.com/GDATAAdvancedAnalytics/Qiliot. last accessed 2025/04/02.
  32. T. Ljucovic, “Destructive iot malware emulation – part 1 of 3 – environment setup.” https://cyber.wtf/2024/03/28/destructive-iotmalware-emulation-part-1-of-3-environmentsetup/. last accessed 2025/04/02.
  33. D. Stevens, “Xorsearch & xorstrings.” https://blog.didierstevens.com/programs/xorsearch/. last accessed 2025/04/02.
  34. decalage2, “Balbuzard.” https://github.com/decalage2/balbuzard. last accessed 2025/04/02.
  35. srozb, “mirai-utils.” https://github.com/srozb/mirai-utils. last accessed 2025/04/02.
  36. radare org, “Radare2.” https://rada.re/. last accessed 2025/04/02.
  37. V. 35, “Binary ninja.” https://binary.ninja/. last accessed 2025/04/02.
  38. Y. Liu and H. Wang, “Tracking mirai variants,” Virus Bulletin, pp. 1–18, 2018.
  39. Hex-Rays, “Ida pro.” https://hex-rays.com/ida-pro. last accessed 2025/04/02.
  40. U. engine project, “Unicorn.” https://www.unicorn-engine.org/. last accessed 2025/04/02.
  41. jgamblin, “Mirai-source-code.” https://github.com/jgamblin/Mirai-Source-Code. last accessed 2025/04/02.
  42. M. Saito, M. Negishi, T. Kobayashi, T. Nagao, H. Suzuki, M. Kobayashi, H. Nashiwa, M. Kobayashi, and Y. Suga, “Mirai botnet detection and countermeasures,” Internet Infrastructure Review (IIR), vol. 33, pp. 4–29, 2016.
  43. M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, et al., “Understanding the mirai botnet,” in 26th USENIX security symposium (USENIX Security 17), pp. 1093–1110, 2017.
  44. S. Akabane and T. Okamoto, “Identification of library functions statically linked to linux malware without symbols,” Procedia Computer Science, vol. 176, pp. 3436–3445, 2020.
  45. S. Akabane and T. Okamoto, “Identification of toolchains used to build iot malware with statically linked libraries,” Procedia Computer Science, vol. 192, pp. 5130–5138, 2021.
  46. E. Andersen, “uclibc toolchain 0.9.30.1.” https://www.uclibc.org/downloads/binaries/0.9.30.1/. last accessed 2025/04/02.
  47. ibiblio, “Slitaz.” http://distro.ibiblio.org/slitaz/sources/packages/c/. last accessed 2025/04/02.
  48. R. Landley, “Aboriginal linux 1.2.6.” https://landley.net/aboriginal/downloads/old/binaries/1.2.6/. last accessed 2025/04/02.
  49. R. Landley, “Aboriginal linux 1.4.5.” https://landley.net/aboriginal/downloads/old/binaries/1.4.5/. last accessed 2025/04/02.
  50. horsicq, “Detect-it-easy.” https://github.com/horsicq/Detect-It-Easy. last accessed 2025/04/02.
  51. T. U. Team, “Upx: the ultimate packer for executables.” https://upx.github.io/. last accessed 2025/04/02.
  52. JPCERTCC, “Anti-upx unpacking technique.” https://blogs.jpcert.or.jp/en/2022/03/anti_upx_unpack.html. last accessed 2025/04/02.
  53. H. Wang, Acey9, and Alex.Turing, “Mirai.tbot uncovered: Over 100 groups and 30,000+ infected hosts in a big iot botnet.” https://blog.xlab.qianxin.com/mirai-tbot-en/. last accessed 2025/04/02.
  54. H. Wang, daji, Alex.Turing, and Acey9, “Botnets never die: An analysis of the large scale botnet airashi.” https://blog.xlab.qianxin.com/large-scale-botnet-airashi-en/. last accessed 2025/04/02.