Research On Trojan Detection Technology Base On Linux

Recently, the occupant rate of using Linux on server field is gradually rising, especially on Cloud Computing field. However, due to opening source, Linux is facing increasingly serious security challenges. The kernel-level Rootkit under Linux environments is a kind of malicious software that can obtain the kernel permissions and can modify all the data and codes inside the system. Because it is good at hiding and hard to be detected, it has caused a serious threat to the security of Linux system. Under this background, it will be very meaningful to research the detection techniques for kernel-level Rootkit.As the development of QEMU virtualization technology, with supporting hardware virtualization technology, owning the kernel level permissions and isolating the client system with host system, which provides a guarantee for the detection of the kernel level Rootkit in the Linux environment. Therefore, it can detect kernel-level Rootkit based on the QEMU technology in theory. Based on the above rationale,the main content of this paper is how to detect kernel-level Linux Rootkit in Linux environment with QEMU simulator visualization technology. this paper mainly contains following works:(1) The related technology is analyzed. Those are mainly about the properties and principle of Linux kernel, the feature and probably hazards of Rootkit, the core knowledge of Rootlet, the virtualization technology of QEMU and the detection technology base on virtualization.(2) This paper will analyze from three aspects(Overall targets, requirements and principles), and then analyzing the traditional detection models and the detection models base on virtual machine technology. Finally, an improved detection model base on virtual machine technology will be created. Based on this model, two detection plugins(static memory analysis plugin and dynamic process identification plugin) will be derived.(3) With analysis of the memory virtualization technology of QEMU, the static memory analysis plugin is designed and realized. It is consist of dump virtual machine memory and memory information analysis.(4) With analysis of the dynamic translation technology of QEMU, the dynamic process identification plugin is designed and realized. It is consist of implement capture process dynamically and information extraction process.(5) Using these two plugins to test and detect kernel level Rootkit Suterusu under Linux system environment and present the related results.In the end, through the test result analysis, this paper designs the two detection plugins can effectively detect the existence of the kernel level Rootkit, which shows that the improved Rootkit detection model base on QEMU is feasible.