VMDMD: A Solution to Defend a Linux System against VM-detection-based Malware

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：116

、訪客IP：18.224.62.118

姓名

許瓈方(Li-Fang Hsu) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

(VMDMD: A Solution to Defend a Linux System against VM-detection-based Malware)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2026-6-30以後開放)

摘要(中)

過去半個世紀以來，隨著Windows OS在個人電腦市場上的宰制性，資訊安全人員與駭客之間的戰場主要放在了Windows-based的惡意程式上。近年來隨著IoT(Internet of Things)的發展，能夠支援更多元架構的Linux作業系統被大量使用在更輕薄的嵌入式裝置上，讓攻擊者逐漸將目光放在了Linux作業系統上。
根據以往Windows-based惡意程式的發展經驗，在這場資訊安全人員與駭客之間的貓捉老鼠遊戲中，由於虛擬機或沙箱經常被惡意程式分析人員用於分析惡意程式，惡意程式為了最大程度的阻止資訊安全人員的分析，絕大多數都發展出了相應的虛擬機偵測機制，因此可以預期Linux-based惡意程式極大可能也同樣會走向這樣的結果。
由於這類惡意程式在檢測到自己在虛擬機之後，會表現出與不在虛擬機中不同的行為，本篇論文針對Linux-based惡意程式現有及未來可能會出現的虛擬機偵測機制進行分析，提出一套能夠停止帶有虛擬機偵測機制的惡意程式的方法，命名為VMDMD，為Virtual Machine Detection-based Malware Defender的縮寫。VMDMD在偵測到目標Process執行類似虛擬機檢測的行為時，會先fork出一個新Process(於本篇論文中，我們簡稱為FDP，Fake Data Process)並給予其虛擬機上的假資料，同時記錄它的執行流程，之後再恢復原本Process並比對他們的行為，只要一不相同就馬上停止其執行。

摘要(英)

For the half past century, with the dominating of Windows Operating System on the market share of Personal Computer, the war between Security researchers and attackers mainly focus on Windows-based malware. Recently, with the development of IoTs (Internet of Things), more embedded devices tend to use Linux Operating System, which could support various kinds of architecture.
According to the experience on Windows-based malware, in this “Cat and Mouse Game”between attacks and security researchers, in order to prevent analysis on malware by malware analyst, the malware writers used to apply virtual machine detect mechanism (anti-vm, evasive) on malware, since virtual machines or sandboxes are widely used on analyzing malware . Although it is still not a trend on Linux-malware, we expect there will be more malware start to detect virtual machine detect method to avoid analysis.
Since this kind of malware usually change its behavior after detecting itself a in virtual machine. In this paper, we focus on the evasive method used by Linux-based malware, proposing a mechanism to detect the evasive behavior, which is called VMDMD, it is a abbreviation for Virtual Machine Detection-based Malware Defender). VMDMD will fork another target process (hereafter we call it FDP, Fake Data Process) and provide fake information as if the target process behaves evasive, and trace its execution and result. And then resume the target program with the real information, and stop its execution after behave differently from FDP.

關鍵字(中)

★ 虛擬機檢測
★ Linux惡意程式

關鍵字(英)

★ VM detection
★ Linux Malware

論文目次

目錄
摘要 i
致謝 iii
1. Introduction ......................................... 1
2. Background ........................................... 4
2.1 虛擬機及虛擬機檢測技術........................................................................................... 4
2.2 Windows 惡意程式的虛擬機檢測技術........................................................................ 6
2.3 現有 Linux 惡意程式虛擬機檢測............................................................................. 10
2.3.1 Amnesia 樣本分析.............................................................................................. 10
2.3.2 對 Linux 惡意程式的相關研究......................................................................... 10
2.4 其他 Linux 可以判斷虛擬機的方法......................................................................... 13
2.5 Linux 中的 PROCFS 及 SYSFS 檔案系統.................................................................... 16
3. Related Work ........................................ 18
4.Design Principle & System Structure ................... 20
4.1 設計原理..................................................................................................................... 20
4.2 執行流程圖................................................................................................................. 21
4.3 系統元件..................................................................................................................... 22
4.3.1 Main Tracer ....................................................................................................... 22
4.3.2 FDP Tracer ......................................................................................................... 24
4.3.3 Fake Data Handler ........................................................................................... 26
4.3.4 Comparator ......................................................................................................... 28
5. Evaluation .......................................... 29
5.1 實驗環境..................................................................................................................... 29
v
5.2 實驗及實驗結果......................................................................................................... 30
5.2.1 實驗一：測試 Fake Data Handler 的隱藏效果 ............................................. 30
5.2.2 實驗二：VMDMD 的執行效果.............................................................................. 32
6. Discussion .......................................... 35
6.1 Limitation................................................................................................................. 35
6.2 Future Works............................................................................................................. 35
7. Conclusion .......................................... 36
Reference .............................................. 37

參考文獻

1. Rodrigo Rubira Branco, G.N.B., Pedro Drimel Neto, Scientific
But Not Academical Overview of Malware Anti-debugging, AntiDisassembly, and Anti-VM Technologies, in Blackhat 2012. 2012.
2. Claud Xiao, C.Z., New IoT/Linux Malware Targets DVRs, Forms
Botnet. 2017.
3. Kerner, R., Remote Code Execution in CCTV-DVR affecting over 70
different vendors, in KerneronSecurity. 2016.
4. Emanuele Cozzi, M.G., Yanick Fratantonio, Davide Balzarotti,
Understanding Linux Malware, in IEEE Symposium on Security and
Privacy(SSP). 2018.
5. EKKOSEC, Linux Anti-VM: How Does Linux Malware Detect It′s
Running in a Virtual Machine? , in Ekkosec. 2018.
6. Binss, sysfs、udev 和它們背後的 Linux 統一設備模型, in BINSITE.
2017.
7. Igor Vurdelja, I.B., Draž en Drašković , Boško Nikolić , Detection
of Linux Malware Using System Tracers – An Overview of
Solutions. 2020.
8. Theodoros Apotstolopoulos, V.K., Kim Kwang Raymond Choo,
Constantinos Patsakis, Resurrecting anti-virtualization and
anti-debugging: Unhooking your hooks. Future Generation
Computer Systems, 2021. 116.
9. Huang, J.Z.Z.G.J.J.D.K.M.S.X.S.H., Scarecrow: Deactivating
Evasive Malware via Its Own Evasive Logic, in IEEE 2020.
10. Douglas Hellinger, L.M.X., Prakhar Gahlot, Dynamic Analysis of
Evasive Malware with a Linux Container Sandbox. 2018.
11. Shi, H. Handling Anti-Virtual Machine Techniques in Malicious
Software. 2017.
12. Pafish: How to Test your Sandbox Against Virtualization
Detection. Available from:
https://www.vmray.com/resource/pafish-how-to-test-your-sandboxagainst-virtualization-detection-2/.
13. al-khaser.
14. Najmeh Miramirkhani, M.P.A., Nick Nikiforakis, Michalis
Polychronakis, Spotless Sandboxes-Evading Malware Analysis
Systems using Wear-and-Tear Artifacts, in IEEE Symposium on
Security and Privacy. 2017.
38
15. DeViL – Detect Virtual Machine in Linux. 2018.

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2021-7-27

推文