Container image with malware and crypto miner for testing purposes
6.9K
I decided to build minimal nginx based container image which contains malware / ransomware / crypto miner / ...
Security tools should be able to scan the image and discover harmful files.
Running/starting the container image do not "activate" / "execute" the malware.
The malware files inside container image were downloaded from:
The malware/crypto miner are located in the /usr/share/nginx/html directory:
/usr/share/nginx/html
├── ILOVEYOU.vbs [C source, ASCII text]
├── Invoke-ConPtyShell.ps1 [ASCII text, with very long lines (361)]
├── L0Lz.bat [DOS batch file, ASCII text]
├── Linux.Trojan.Multiverze.elf.x86 [ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, with debug_info, not stripped]
├── MadMan.exe [MS-DOS executable]
├── Melissa.doc [Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Title: Password List for March 26th 1999, Subject: Adult Website Passwords, Author: John Holmes, Keywords: 73 sites in this list, Comments: Password List for March 26th 1999, Template: Normal.dot, Last Saved By: Him, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Create Time/Date: Fri Mar 26 11:39:00 1999, Last Saved Time/Date: Fri Mar 26 11:39:00 1999, Number of Pages: 2, Number of Words: 745, Number of Characters: 4249, Security: 0]
├── Py.Trojan.NecroBot.py [Python script, ASCII text executable, with very long lines (4330), with CRLF line terminators]
├── TrojanSpy.MacOS.XCSSET.A [Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
├── Trojan.Java.Fractureiser.MTB.jar [Trojan:Java/Fractureiser!MTB]
├── Txt.Malware.Sustes.sh [Bourne-Again shell script, ASCII text executable]
├── Unix.Downloader.Rocke.sh [POSIX shell script, ASCII text executable]
├── Unix.Malware.Kaiji.elf.arm [ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=9fdmXJhReUX31Gj9ZEYg/ufudXOOpAambiyMItr13/otwZTTTdWsnO_OuvAAn-/qn6mMLxbKwGft_Ecoum6, stripped]
├── Unix.Trojan.Mirai.elf.m68k [ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped]
├── Unix.Trojan.Mirai.elf.mips [ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped]
├── Unix.Trojan.Mirai.elf.ppc [ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped]
├── Unix.Trojan.Mirai.elf.sparc [ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped]
├── Unix.Trojan.Mirai.elf.x86_64 [ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped]
├── Unix.Trojan.Spike.elf.arm [ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, with debug_info, not stripped]
├── Walker.com [DOS executable (COM), start instruction 0xe9cd04e8 5400e871]
├── WannaCry.exe [PE32 executable (GUI) Intel 80386, for MS Windows]
├── Win.Trojan.Perl.perl [Perl script text executable]
├── Zloader.xlsm [Microsoft Excel 2007+]
├── eicar
│ ├── eicar.com [EICAR virus test files]
│ ├── eicar.com.txt [EICAR virus test files]
│ └── eicarcom2.zip [Zip archive data, at least v1.0 to extract]
└── xmrig
├── xmrig [ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped]
└── xmrig-linux-static-x64.tar.gz [gzip compressed data, last modified: Sun Oct 23 10:50:44 2022, from Unix, original size modulo 2^32 8898560]
List of malware/ransomware/crypto miner files:
There are several ways how to run the "malware container image" and there are few of them.
Run the EC2 instance with docker and the quay.io/petr_ruzicka/malware-cryptominer-container container with SSM enabled (only console access):
export AWS_DEFAULT_REGION="eu-central-1"
aws cloudformation deploy --capabilities CAPABILITY_IAM \
--stack-name "${USER}-malware-cryptominer-container-ec2" \
--parameter-overrides "ContainerImage=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2" \
--template-file EC2InstanceWithDockerSample.yaml \
--tags "Name=${USER}-malware-cryptominer-container-ec2"
# aws cloudformation delete-stack --stack-name ${USER}-malware-cryptominer-container-ec2
Copilot example:
export AWS_DEFAULT_REGION="eu-central-1"
copilot init --app "${USER}-malware-cryptominer-app" --name "${USER}-malware-cryptominer" \
--image quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2 \
--type 'Load Balanced Web Service' --port 8080 --deploy
# copilot app delete --name "${USER}-malware-cryptominer-app"
Run simple Amazon EKS cluster with "malware pod":
export AWS_DEFAULT_REGION="eu-central-1"
export CLUSTER_NAME="${USER}-malware-cryptominer-eks"
export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf"
eksctl create cluster --name "${CLUSTER_NAME}" --instance-types t3a.small --kubeconfig "${KUBECONFIG}"
kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2
# eksctl delete cluster --name "${CLUSTER_NAME}"
Few scanners which I used to identify the problems inside container image. (results will change in the future)
2023-01-04quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0There is the output of the ClamAV scanner which was executed inside container:
$ docker run -it --rm --entrypoint=/bin/sh --user root -p 8080:8080 quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
# apk add clamav
# freshclam
# clamscan --infected --recursive /usr/share/nginx/html/
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.sparc: Unix.Trojan.Mirai-6976991-0 FOUND
/usr/share/nginx/html/Win.Trojan.Perl.perl: Win.Trojan.Perl-35 FOUND
/usr/share/nginx/html/xmrig/xmrig: Unix.Trojan.Generic-9919438-0 FOUND
/usr/share/nginx/html/xmrig/xmrig-linux-static-x64.tar.gz: Unix.Trojan.Generic-9919438-0 FOUND
/usr/share/nginx/html/MadMan.exe: Win.Trojan.MadMan-1 FOUND
/usr/share/nginx/html/ILOVEYOU.vbs: Win.Worm.Mantan-1 FOUND
/usr/share/nginx/html/Linux.Trojan.Multiverze.elf.x86: Unix.Trojan.Mirai-9977540-0 FOUND
/usr/share/nginx/html/Melissa.doc: Win.Trojan.Psycho-3 FOUND
/usr/share/nginx/html/WannaCry.exe: Win.Ransomware.Wannacryptor-6993233-1 FOUND
/usr/share/nginx/html/eicar/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/usr/share/nginx/html/eicar/eicarcom2.zip: Win.Test.EICAR_HDB-1 FOUND
/usr/share/nginx/html/eicar/eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND
/usr/share/nginx/html/Walker.com: Win.Trojan.Abraxas-7 FOUND
/usr/share/nginx/html/Unix.Trojan.Spike.elf.arm: Unix.Trojan.Spike-6301360-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.mips: Unix.Trojan.Mirai-6981169-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.m68k: Unix.Trojan.Mirai-6981989-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.ppc: Unix.Trojan.Mirai-6981169-0 FOUND
/usr/share/nginx/html/Unix.Malware.Kaiji.elf.arm: Unix.Malware.Kaiji-9760851-0 FOUND
/usr/share/nginx/html/Txt.Malware.Sustes.sh: Txt.Malware.Sustes-6779550-1 FOUND
/usr/share/nginx/html/Unix.Downloader.Rocke.sh: Unix.Downloader.Rocke-6826000-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.x86_64: Unix.Trojan.Mirai-7732430-0 FOUND
/usr/share/nginx/html/L0Lz.bat: Win.Trojan.BAT-111 FOUND
/usr/share/nginx/html/TrojanSpy.MacOS.XCSSET.A: Osx.Malware.Agent-9319628-0 FOUND
/usr/share/nginx/html/Py.Trojan.NecroBot.py: Py.Trojan.NecroBot-9868091-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8647075
Engine version: 0.105.1
Scanned directories: 4
Scanned files: 34
Infected files: 24
Data scanned: 25.70 MB
Data read: 18.47 MB (ratio 1.39:1)
Time: 250.429 sec (4 m 10 s)
Start Date: 2023:01:04 08:02:40
End Date: 2023:01:04 08:06:51
IMAGE="quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2"
cosign verify "${IMAGE}" | jq
cosign verify "${IMAGE}" | jq -r '.[].optional| .Issuer + " | " + .Subject + " | " + .githubWorkflowRef + " | https://rekor.tlog.dev/?logIndex=" + (.Bundle.Payload.logIndex|tostring)'
cosign triangulate "${IMAGE}"
cosign tree "${IMAGE}"
cosign verify-attestation --type cyclonedx "${IMAGE}" | jq '.payload |= @base64d | .payload | fromjson'
cosign verify-attestation --type slsaprovenance "${IMAGE}" | jq '.payload |= @base64d | .payload | fromjson'
Container build:
docker build . -t malware-cryptominer-container
Run container and download the malware file:
docker run -it --rm -p 8080:8080 malware-cryptominer-container
wget http://localhost:8080/eicar/eicar.com
Debug container:
docker run -it --rm --entrypoint=/bin/sh --user root -p 8080:8080 malware-cryptominer-container
Run in Kubernetes:
kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2
Content type
Image
Digest
sha256:45d96823f…
Size
21.1 MB
Last updated
4 days ago
docker pull peru/malware-cryptominer-container