Identification of toolchains used to build IoT malware with statically linked libraries

摘要

Proliferation of IoT devices has caused an increase in malware. Much IoT malware includes static linking of library functions, and their symbols such as function names and addresses are stripped hindering function-level analysis. We previously showed that pattern matching could identify all library functions statically linked to IoT malware for Intel 80386 and all toolchains used to build them, but it remained unclear how our method identified toolchains used to build IoT malware for other architectures. In this paper, we extend our previous method to identify toolchains used to build IoT malware not only for Intel 80386 but for other architectures: ARC, ARM 32-bit, MIPS 32-bit, MIPS 64-bit, mk68k, PowerPC, sh4, SPARC, and x86-64. Evaluation of toolchain identification of 3,991 malware samples showed our method identified all toolchains used to build them. Only 14 toolchains had been used to build the samples, and are all available on the Web. We found 91.4% of samples other than Intel 80386 were built with the toolchain described in the installation guide of Mirai, which was similar to that of Intel 80386. To share the results of this study with the antimalware community, we have published a list of the toolchain names of each sample and the names and addresses of the library functions linked to each sample on GitHub.