dc.description.abstract | For the half past century, with the dominating of Windows Operating System on the market share of Personal Computer, the war between Security researchers and attackers mainly focus on Windows-based malware. Recently, with the development of IoTs (Internet of Things), more embedded devices tend to use Linux Operating System, which could support various kinds of architecture.
According to the experience on Windows-based malware, in this “Cat and Mouse Game”between attacks and security researchers, in order to prevent analysis on malware by malware analyst, the malware writers used to apply virtual machine detect mechanism (anti-vm, evasive) on malware, since virtual machines or sandboxes are widely used on analyzing malware . Although it is still not a trend on Linux-malware, we expect there will be more malware start to detect virtual machine detect method to avoid analysis.
Since this kind of malware usually change its behavior after detecting itself a in virtual machine. In this paper, we focus on the evasive method used by Linux-based malware, proposing a mechanism to detect the evasive behavior, which is called VMDMD, it is a abbreviation for Virtual Machine Detection-based Malware Defender). VMDMD will fork another target process (hereafter we call it FDP, Fake Data Process) and provide fake information as if the target process behaves evasive, and trace its execution and result. And then resume the target program with the real information, and stop its execution after behave differently from FDP. | en_US |