We present an anti-malware solution that is able to reliably detect Object Linking and Embedding for Process Control (OPC) malware on machines in production. Detection is attained on the very first encounter with OPC malware, and hence without any prior knowledge of their code and data. We architected the integration of a decoy network interface controller (DNIC) with a layer of kernel code that emulates a target OPC machine. A DNIC displays a (nonexistent) network, which the compromised machine appears to be connected to. OPC emulation displays a valid (but nonexistent) target OPC machine, which appears to be reachable from the compromised machine over the (nonexistent) network. Our code intercepts OPC malware during their search for target machines over the network. Its overall architecture is crafted to validate the infection by leveraging OPC protocol mechanics. The same principles of operation are used to recognize goodware that access a DNIC by accident. Safe co-existence with production functions and real I/O devices is ensured by a monitor filter driver, which removes all decoy data bound for the monitor. We tested our DNIC architectural developments against numerous OPC malware samples involved in the Dragonfly cyber espionage campaign, and discuss the findings in the paper.

中文翻译：

---

用于 OPC 恶意软件的 0-Knowledge 检测的 DNIC 架构开发

我们提出了一种反恶意软件解决方案，能够可靠地检测生产中机器上的对象链接和嵌入过程控制 (OPC) 恶意软件。检测是在第一次遇到 OPC 恶意软件时实现的，因此无需事先了解其代码和数据。我们构建了诱饵网络接口控制器 (DNIC) 与模拟目标 OPC 机器的内核代码层的集成。DNIC 显示一个（不存在的）网络，受感染的机器似乎连接到该网络。OPC 仿真显示一个有效（但不存在）的目标 OPC 机器，它似乎可以通过（不存在的）网络从受感染的机器访问。我们的代码在 OPC 恶意软件通过网络搜索目标机器期间拦截它们。其整体架构旨在通过利用 OPC 协议机制来验证感染。相同的操作原理用于识别意外访问 DNIC 的商品。监视器过滤器驱动程序可确保与生产功能和真实 I/O 设备的安全共存，该驱动程序可删除所有绑定到监视器的诱饵数据。我们针对参与 Dragonfly 网络间谍活动的众多 OPC 恶意软件样本测试了我们的 DNIC 架构开发，并讨论了论文中的发现。