DNIC Architectural Developments for 0-Knowledge Detection of OPC Malware

We present an anti-malware solution that is able to reliably detect Object Linking and Embedding for Process Control (OPC) malware on machines in production. Detection is attained on the very first encounter with OPC malware, and hence without any prior knowledge of their code and data. We architected the integration of a decoy network interface controller (DNIC) with a layer of kernel code that emulates a target OPC machine. A DNIC displays a (nonexistent) network, which the compromised machine appears to be connected to. OPC emulation displays a valid (but nonexistent) target OPC machine, which appears to be reachable from the compromised machine over the (nonexistent) network. Our code intercepts OPC malware during their search for target machines over the network. Its overall architecture is crafted to validate the infection by leveraging OPC protocol mechanics. The same principles of operation are used to recognize goodware that access a DNIC by accident. Safe co-existence with production functions and real I/O devices is ensured by a monitor filter driver, which removes all decoy data bound for the monitor. We tested our DNIC architectural developments against numerous OPC malware samples involved in the Dragonfly cyber espionage campaign, and discuss the findings in the paper.

Automated summary

The anti-malware solution presented in the study reliably detects Object Linking and Embedding for Process Control (OPC) malware on production machines by integrating a decoy network interface controller with a layer of kernel code that emulates a target OPC machine. The architecture intercepts OPC malware during their search for target machines on the network and validates the infection by leveraging OPC protocol mechanics. Safe co-existence with production functions and real I/O devices is ensured through a monitor filter driver that removes decoy data bound for the monitor.