NIC displays to thwart malware attacks mounted from within the OS

This paper describes an OS-resident defensive deception approach, which can neutralize malware that has managed to infect a target machine. Such attacks account for most of the spying operations detected to date, and include malware, insider code, and Trojans that originate from compromises of the computer supply chain. The central idea that underpins this work is to display the existence of I/O devices in a computer system. While those I/O devices would not exist for real, their projection will make them appear as valid targets of interception and malicious modification, or as valid means of propagation to other target computers. We experiment with the implementation of a low-level network driver for the Windows operating system. The network driver emulates the operation of a network interface controller (NIC), and thus reports to higher-level drivers in the network stack as if the NIC were existent, fully functional, and with access to an existing computer network. We tested and evaluated NIC displays against a large sample of live malware, and thus discuss our findings in the paper.