Malicious Code Forensics Method Based on Hidden Behavior Characteristics of Rootkit on Linux

doi:10.3969/j.issn.1671-1122.2020.11.005

Abstract

Abstract:

In recent years, with the continuous development of the Internet, network security problems emerge endlessly. When fighting against network security threats, forensics has always been a big problem. Especially for Linux platform, most mainstream Linux open source forensics tools are currently lagging behind, inefficient and unable to obtain evidence from the hidden Trojans. In the research of Linux forensics, because the Rootkit Trojan has the characteristics of strong concealment and great harm, traditional detection methods are difficult to carry out effective detection. In order to solve the above problems, starting from the behavior and implementation technology of Rootkit, this paper studies and analyzes its startup mechanism and memory resident mechanism, extracts malicious code behaviors as detection features, and proposes a Linux malicious code forensics method based on Rootkit hidden behavior characteristics. The experimental results show that the forensics method proposed in this paper has a good detection effect and forensics effect for various types of Linux malicious code, and has obvious advantages in detection effect compared with traditional forensics methods.

Key words: computer forensics, Rootkit, malicious code, Linux system

CLC Number:

TP309

WEN Weiping, CHEN Xiarun, YANG Fachang. Malicious Code Forensics Method Based on Hidden Behavior Characteristics of Rootkit on Linux[J]. Netinfo Security, 2020, 20(11): 32-42.

Figures/Tables 11

References 29

[1]	DAFOULAS G A, NEILSON D, HARA S. State of the Art in Computer Forensic Education-A Review of Computer Forensic Programmes in the UK, Europe and US[C]//IEEE. 2017 International Conference on New Trends in Computing Sciences (ICTCS), October 11-13, 2017, Amman, Jordan. NJ: IEEE, 2017: 144-154.
[2]	SI Tianhao, ZHANG Yi, LUO Yuqing. Overview of Linux Rootkit Implementation and Detection Technology[C]// CCF. ICoC. July 10, 2013, Zhangjiajie, China. Beijing: CCF, 2013: 123-128.
	斯添浩, 张怡, 罗雨青. Linux Rootkit实现与检测技术综述[C]// 中国计算机学会.中国互联网学术年会,2013-7-10,张家界,中国.北京:中国计算机学会, 2013: 123-128.
[3]	LILLIS D, BECKER B, O'SULLIVAN T, et al. Current Challenges and Future Research Areas for Digital Forensic Investigation[EB/OL]. https://www.researchgate.net/publication/292996779_Current_Challenges_and_Future_Research_Areas_for_Digital_Forensic_Investigation, 2020-4-19.
[4]	LIU Tao. Research and Implementation of Evidence Collection Based on Linux System[D]. Chengdu: University of Electronic Science and Technology of China, 2011.
	刘涛. 基于Linux系统的证据收集研究与实现[D]. 成都:电子科技大学, 2011.
[5]	QIAN Zhigao. Research on Forensics Methods in Computer Intrusion Events[J]. Network Security Technology & Application, 2020,20(4):152-153.
	钱志高. 计算机入侵事件中的取证方法探究[J]. 网络安全技术与应用, 2020,20(4):152-153.
[6]	LIU Xiaoli, XU Bohe. Method and Practice of Network Intrusion Forensics Based on Linux System[J]. Network Security Technology & Application, 2016,16(10):34-35.
	刘晓丽, 徐博赫. 基于Linux系统的网络入侵取证方法与实践[J]. 网络安全技术与应用, 2016,16(10):34-35.
[7]	HIRANO M, KOBAYASHI R. Machine Learning Based Ransomware Detection Using Storage Access Patterns Obtained From Live-forensic Hypervisor[C]//IEEE. 2019 Sixth International Conference on Internet of Things: Systems, Management and Security (IOTSMS), October 22-25, 2019, Granada, Spain. NJ: IEEE, 2019: 1-6.
[8]	YARI I A, ZARGARI S. An Overview and Computer Forensic Challenges in Image Steganography[C]//IEEE. 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), June 21-23, 2017, Exeter, UK. NJ: IEEE, 2017: 360-364.
[9]	LI Tonghong, WANG Ning, LIU Zhijun. Data Hiding and Anti-forensic on Modern Computer System[J]. Computer Systems & Applications, 2013,22(5):1-4, 37.
	李佟鸿, 王宁, 刘志军. 计算机系统信息隐藏反取证技术[J]. 计算机系统应用, 2013,22(5):1-4,37.
[10]	AL FAHDI M, CLARKE N L, LI Fudong, et al. A Suspect-oriented Intelligent and Automated Computer Forensic Analysis[J]. Digital Investigation, 2016,18(9):65-76. doi: 10.1016/j.diin.2016.08.001 URL
[11]	TORASKAR T, BHANGALE U, PATIL S, et al. Efficient Computer Forensic Analysis Using Machine Learning Approaches[C]//IEEE. 2019 IEEE Bombay Section Signature Conference (IBSSC), July 26-28, 2019, Mumbai, India. NJ: IEEE, 2019: 1-5.
[12]	ZHANG Yu, LIU Qingzhong, LI Tao, et al. Research and Development of Rootkit[J]. Journal of University of Electronic Science and Technology of China, 2014,44(4):563-578.
	张瑜, 刘庆中, 李涛, 等. Rootkit研究综述[J]. 电子科技大学学报, 2014,44(4):563-578.
[13]	LIANG Shengrong, FAN Mingyu, WANG Guangwei, et al. New Method of Detecting Kernel-level Rootkit[J]. Application Research of Computers, 2009,26(8):3047-3049.
	梁升荣, 范明钰, 王光卫, 等. 一种新的内核级Rootkit的检测方法[J]. 计算机应用研究, 2009,26(8):3047-3049.
[14]	YAN Renzhong, ZHONG Xichang, ZHANG Ni. A Method to Automatically Detect and Recover from Kernel Level Rootkit[J]. Computer Engineering, 2006,32(10):77-79.
	颜仁仲, 钟锡昌, 张倪. 一种自动检测内核级Rootkit并恢复系统的方法[J]. 计算机工程, 2006,32(10):77-79.
[15]	MUSAVI S A, KHARRAZI M. Back to Static Analysis for Kernel-level Rootkit Detection[J]. IEEE Transactions on Information Forensics and Security, 2014,9(9):1465-1476.
[16]	CHEN Yuanpeng, LI Yongzhong. Analysis and Detect of Kernel-level Rootkit in Linux Platform[J]. Electronic Design Engineering, 2017,25(1):39-42.
	陈远鹏, 李永忠. Linux平台下Rootkit木马分析与检测[J]. 电子设计工程, 2017,25(1):39-42.
[17]	FANG Haifeng, ZHAO Yiqiang, ZANG Hongyong, et al. VMGuard: An Integrity Monitoring System for Management Virtual Machines[C]//IEEE. 2010 IEEE International Conference on Parallel & Distributed Systems, December 8-10, 2010, Shanghai, China. NJ: IEEE, 2011: 67-74.
[18]	BEHROZINIA S, AZMI R. KLrtD: Kernel Level Rootkit Detection[C]//IEEE. 2014 22nd Iranian Conference on Electrical Engineering (ICEE), May 20-22, 2014, Tehran, Iran. NJ: IEEE, 2014: 1058-1063.
[19]	LUCKETT P, MCDONALD J T, DAWSON J. Neural Network Analysis of System Call Timing for Rootkit Detection[C]//IEEE. 2016 Cybersecurity Symposium (CYBERSEC), April 18-20, 2016, Coeur d'Alene, ID, USA. NJ: IEEE, 2016: 1-6.
[20]	LOBO D, WATTERS P, WU Xinwen. Identifying Rootkit Infections Using Data Mining[C]//IEEE. 2010 International Conference on Information Science and Applications, April 21-23, 2010, Seoul, South Korea. NJ: IEEE, 2010: 1-7.
[21]	JOY J, JOHN A. A Host Based Kernel Level Rootkit Detection Mechanism Using Clustering Technique[M]// Springer. Trends in Computer Science, Engineering and Information Technology. Heidelberg: Springer, Berlin, Heidelberg, 2011: 564-570.
[22]	FENG Peijun, ZHANG Ping, CHEN Zhifeng, et al. Design and Implementation of a New Linux Kernel-Level Rootkit[J]. Journal of Information Engineering University, 2016,17(2):231-237.
	冯培钧, 张平, 陈志锋, 等. 一种新型Linux内核级Rootkit设计与实现[J]. 信息工程大学学报, 2016,17(2):231-237.
[23]	WANG Xueyang, KARRI R. Reusing Hardware Performance Counters to Detect and Identify Kernel Control-Flow Modifying Rootkits[J]. IEEE Transactions on Computer-aided Design of Integrated Circuits and Systems, 2016,35(3):485-498.
[24]	ZHOU Liwei, MAKRIS Y. Hardware-assisted Rootkit Detection via On-line Statistical Fingerprinting of Process Execution[C]//IEEE. 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE), March 19-23, 2018, Dresden, Germany. NJ: IEEE, 2018: 1580-1585.
[25]	PETRONI N L, FRASER T, MOLINA J, et al. Copilot-a coprocessor-based Kernel Runtime Integrity Monitor[C]//USENIX. The 13th USENIX Security Symposium, August 9-13, 2004, San Diego, CA, USA. Berkeley: USENIX Association, 2004: 13.
[26]	AKAO Y, YAMAUCHI T. KRGuard: Kernel Rootkits Detection Method by Monitoring Branches Using Hardware Features[C]//IEEE. 2016 International Conference on Information Science and Security (ICISS), December 19-22, 2016, Pattaya, Thailand. NJ: IEEE, 2016: 1-5.
[27]	MOON H, LEE H, HEO I, et al. Detecting and Preventing Kernel Rootkit Attacks with Bus Snooping[J]. IEEE Transactions on Dependable and Secure Computing, 2015,14(2):145-157.
[28]	CARRIER B D, GRAND J. A Hardware-based Memory Acquisition Procedure for Digital Investigations[J]. Journal of Digital Investigation, 2004,1(1):50-60.
[29]	BBN Technologies. Fred: Forensic Ram Extraction Device[EB/OL]. http://www. ir. bbn. com/vkawadia/, 2012-12-10.

木马名称	木马简介
Remaiten	拥有扫描器、下载器和后门功能,目的在于入侵和控制一些运行的Linux系统目标,部署僵尸网络
Billgates	近年来较活跃的DDoS僵尸网络木马,通过部署木马所控制的傀儡机壮大僵尸网络
Reptile	Github上的LKM Rootkit,经常被黑客使用进行Rootkit隐藏
WNPS	Adore-ng木马的加强版,使用加密通信,在Linux 2.6.x内核中通用,隐蔽性很高
Ddrk	结合shv木马和adore-ng木马的特点、内核级别的Rootkit木马

木马名称	用户层检测结果	内核层检测结果	流量分析	是否检出木马
Remaiten	隐藏文件	无检测结果	恶意域名	是
Billgates	隐藏进程、隐藏文件、隐藏网络连接	隐藏进程、隐藏文件、隐藏网络连接	恶意IP	是
Reptile	隐藏端口	隐藏文件、隐藏网络连接、隐藏内核模块	无检测结果	是
WNPS	无检测结果	隐藏文件、隐藏进程、隐藏内核模块、关键数据结构篡改	无检测结果	是
Ddrk	隐藏进程	隐藏网络连接、隐藏进程、隐藏文件、关键数据结构篡改	无检测结果	是
Unknow1	隐藏端口	隐藏网络连接、隐藏文件、隐藏内核模块	恶意域名	是
Unknow2	无检测结果	隐藏内核模块、隐藏进程、关键数据结构篡改	无检测结果	是

木马取证工具	Remaiten	Billgates	Reptile	WNPS	Ddrk	Unknow1	Unknow2
Rkhunter	√	√	?	√	√	?	?
ChkRootkit	√	√	√	√	?	?	?
本文方法	√	√	√	√	√	√	√