In the era of virtualisation of processes and resources, the issue of security of executable environments is quite acute. Pre-prepared images may contain virus and various exploits that can damage both the system locally and the infrastructure globally.
They are distributed through such platforms as Docker Hub, GitHub, which allow you to install software that is not checked for various kinds of software bookmarks and the very same VPO. How to check if a container is safe to use?
Scanning and analysing layers in Dockerfile
Let us remind you that the container itself is just an isolated environment where the base OS image is rolled out and a Dockerfile is executed on top of it, which can be rather malicious. Let's take for example a pre-infected container filled with miners and other VPO. Let's download it to our machine with Docker pre-installed:
sudo docker pull quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
Note that we only downloaded the image to our local repository, but did not run it on the OS! You don't need to do that, the file itself will be sufficient for analysis! If you don't have Docker pre-installed, do it with the following command:
sudo apt install docker.io docker-compose -y
After that, we need to understand what exactly we want to investigate and where we are going to detect malicious activity. An image is a collection of a minimally basic OS, the Dockerfile executed on it, and the metadata that is used when deploying it. So let's pay attention to it, first we need to understand what actions are performed in the image, for this we will use the dive inspection utility. To install deb we will run the command:
DIVE_VERSION=$(curl -sL "https://api.github.com/repos/wagoodman/dive/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
curl -OL https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.deb
sudo apt install ./dive_${DIVE_VERSION}_linux_amd64.deb
It will allow you to find the latest version of the software in the repository, as well as put it in the download paths to then install it.
After successful installation of the package we can write a command where we specify dive to start the inspection software and specify the name of the image:
sudo dive quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
The control panel has four main fields, where Layers is the Docker File, or rather its layers. Below are the details of each layer and the meta information about the image, where you can already see that you have interacted with the web directories. Let's parse each layer and try to find something illegitimate:
In this case we can see that the installation is performed from the suspicious domain nginx[.]so, then use TAB to switch to the file system on the right and see the changes made by Dockerfile. Additionally, filter the changes with the Ctrl+A key combination and we will see a cluster of previously copied files with suspicious names:
In a real attack, the files may be named quite innocuously, so you need to pay attention to the directories and the format of the files that are added to the container. Since the files look suspicious, you need to make sure they are virus. Let's exit the inspector panel and create a file system container without launching it:
sudo docker create -- name temp_container quay. io/petr_ruzicka/malware-cryptominer-container :1.4.0 && \
sudo docker export temp_container -o filesystem.tar && \
sudo docker rm temp_container && \
ls
Now we have a container file system with already applied Dockerfile in our home directory! It remains to unpack it and check all files for VPO, for this purpose we will write a command, having previously created a new folder and navigating to it:
sudo tar -xf ~/filesystem.tar
Remember that the malware has potentially affected several directories, so we will scan them with ClamAV antivirus, and then we will see the result, where virus are detected!
With the inspection tool it is possible to perform such manual analyses at a deeper level and already use Yara rules engines in addition, which will allow to detect other types and variants of VPO. This solution is not a replacement for automated tools, but just a way to manually look at the package details inside, based on manual/static analyses.
If you don't have sufficient resources than you can perform actions on powerful cloud servers. Serverspace provides isolated VPS / VDS servers for common and virtualize usage.