peru/malware-cryptominer-container

By peru

Updated 4 days ago

Container image with malware and crypto miner for testing purposes

Image
Artifact
Security
0

6.9K

peru/malware-cryptominer-container repository overview

Container image with malware and crypto miner for testing purposes

Container build Artifact Hub

Ransomware Malware Threat Actor

I decided to build minimal nginx based container image which contains malware / ransomware / crypto miner / ...

Security tools should be able to scan the image and discover harmful files.

Running/starting the container image do not "activate" / "execute" the malware.

The malware files inside container image were downloaded from:

The malware/crypto miner are located in the /usr/share/nginx/html directory:

/usr/share/nginx/html
├── ILOVEYOU.vbs                      [C source, ASCII text]
├── Invoke-ConPtyShell.ps1            [ASCII text, with very long lines (361)]
├── L0Lz.bat                          [DOS batch file, ASCII text]
├── Linux.Trojan.Multiverze.elf.x86   [ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, with debug_info, not stripped]
├── MadMan.exe                        [MS-DOS executable]
├── Melissa.doc                       [Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Title: Password List for March 26th 1999, Subject: Adult Website Passwords, Author: John Holmes, Keywords: 73 sites in this list, Comments: Password List for March 26th 1999, Template: Normal.dot, Last Saved By: Him, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Create Time/Date: Fri Mar 26 11:39:00 1999, Last Saved Time/Date: Fri Mar 26 11:39:00 1999, Number of Pages: 2, Number of Words: 745, Number of Characters: 4249, Security: 0]
├── Py.Trojan.NecroBot.py             [Python script, ASCII text executable, with very long lines (4330), with CRLF line terminators]
├── TrojanSpy.MacOS.XCSSET.A          [Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
├── Trojan.Java.Fractureiser.MTB.jar  [Trojan:Java/Fractureiser!MTB]
├── Txt.Malware.Sustes.sh             [Bourne-Again shell script, ASCII text executable]
├── Unix.Downloader.Rocke.sh          [POSIX shell script, ASCII text executable]
├── Unix.Malware.Kaiji.elf.arm        [ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=9fdmXJhReUX31Gj9ZEYg/ufudXOOpAambiyMItr13/otwZTTTdWsnO_OuvAAn-/qn6mMLxbKwGft_Ecoum6, stripped]
├── Unix.Trojan.Mirai.elf.m68k        [ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped]
├── Unix.Trojan.Mirai.elf.mips        [ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped]
├── Unix.Trojan.Mirai.elf.ppc         [ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped]
├── Unix.Trojan.Mirai.elf.sparc       [ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped]
├── Unix.Trojan.Mirai.elf.x86_64      [ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped]
├── Unix.Trojan.Spike.elf.arm         [ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, with debug_info, not stripped]
├── Walker.com                        [DOS executable (COM), start instruction 0xe9cd04e8 5400e871]
├── WannaCry.exe                      [PE32 executable (GUI) Intel 80386, for MS Windows]
├── Win.Trojan.Perl.perl              [Perl script text executable]
├── Zloader.xlsm                      [Microsoft Excel 2007+]
├── eicar
│   ├── eicar.com                     [EICAR virus test files]
│   ├── eicar.com.txt                 [EICAR virus test files]
│   └── eicarcom2.zip                 [Zip archive data, at least v1.0 to extract]
└── xmrig
    ├── xmrig                         [ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped]
    └── xmrig-linux-static-x64.tar.gz [gzip compressed data, last modified: Sun Oct 23 10:50:44 2022, from Unix, original size modulo 2^32 8898560]

List of malware/ransomware/crypto miner files:

Deployment of the vulnerable image

There are several ways how to run the "malware container image" and there are few of them.

CloudFormation - EC2 instance

Run the EC2 instance with docker and the quay.io/petr_ruzicka/malware-cryptominer-container container with SSM enabled (only console access):

export AWS_DEFAULT_REGION="eu-central-1"

aws cloudformation deploy --capabilities CAPABILITY_IAM \
  --stack-name "${USER}-malware-cryptominer-container-ec2" \
  --parameter-overrides "ContainerImage=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2" \
  --template-file EC2InstanceWithDockerSample.yaml \
  --tags "Name=${USER}-malware-cryptominer-container-ec2"

# aws cloudformation delete-stack --stack-name ${USER}-malware-cryptominer-container-ec2
Amazon ECS

Copilot example:

export AWS_DEFAULT_REGION="eu-central-1"

copilot init --app "${USER}-malware-cryptominer-app" --name "${USER}-malware-cryptominer" \
  --image quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2 \
  --type 'Load Balanced Web Service' --port 8080 --deploy

# copilot app delete --name "${USER}-malware-cryptominer-app"
Amazon EKS

Run simple Amazon EKS cluster with "malware pod":

export AWS_DEFAULT_REGION="eu-central-1"
export CLUSTER_NAME="${USER}-malware-cryptominer-eks"
export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf"

eksctl create cluster --name "${CLUSTER_NAME}" --instance-types t3a.small --kubeconfig "${KUBECONFIG}"
kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2

# eksctl delete cluster --name "${CLUSTER_NAME}"

Scanner tests

Few scanners which I used to identify the problems inside container image. (results will change in the future)

  • Scanner tests were executed on: 2023-01-04
  • Image version: quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
ClamAV

There is the output of the ClamAV scanner which was executed inside container:

$ docker run -it --rm --entrypoint=/bin/sh --user root -p 8080:8080 quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
# apk add clamav
# freshclam
# clamscan --infected --recursive /usr/share/nginx/html/
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.sparc: Unix.Trojan.Mirai-6976991-0 FOUND
/usr/share/nginx/html/Win.Trojan.Perl.perl: Win.Trojan.Perl-35 FOUND
/usr/share/nginx/html/xmrig/xmrig: Unix.Trojan.Generic-9919438-0 FOUND
/usr/share/nginx/html/xmrig/xmrig-linux-static-x64.tar.gz: Unix.Trojan.Generic-9919438-0 FOUND
/usr/share/nginx/html/MadMan.exe: Win.Trojan.MadMan-1 FOUND
/usr/share/nginx/html/ILOVEYOU.vbs: Win.Worm.Mantan-1 FOUND
/usr/share/nginx/html/Linux.Trojan.Multiverze.elf.x86: Unix.Trojan.Mirai-9977540-0 FOUND
/usr/share/nginx/html/Melissa.doc: Win.Trojan.Psycho-3 FOUND
/usr/share/nginx/html/WannaCry.exe: Win.Ransomware.Wannacryptor-6993233-1 FOUND
/usr/share/nginx/html/eicar/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/usr/share/nginx/html/eicar/eicarcom2.zip: Win.Test.EICAR_HDB-1 FOUND
/usr/share/nginx/html/eicar/eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND
/usr/share/nginx/html/Walker.com: Win.Trojan.Abraxas-7 FOUND
/usr/share/nginx/html/Unix.Trojan.Spike.elf.arm: Unix.Trojan.Spike-6301360-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.mips: Unix.Trojan.Mirai-6981169-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.m68k: Unix.Trojan.Mirai-6981989-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.ppc: Unix.Trojan.Mirai-6981169-0 FOUND
/usr/share/nginx/html/Unix.Malware.Kaiji.elf.arm: Unix.Malware.Kaiji-9760851-0 FOUND
/usr/share/nginx/html/Txt.Malware.Sustes.sh: Txt.Malware.Sustes-6779550-1 FOUND
/usr/share/nginx/html/Unix.Downloader.Rocke.sh: Unix.Downloader.Rocke-6826000-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.x86_64: Unix.Trojan.Mirai-7732430-0 FOUND
/usr/share/nginx/html/L0Lz.bat: Win.Trojan.BAT-111 FOUND
/usr/share/nginx/html/TrojanSpy.MacOS.XCSSET.A: Osx.Malware.Agent-9319628-0 FOUND
/usr/share/nginx/html/Py.Trojan.NecroBot.py: Py.Trojan.NecroBot-9868091-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8647075
Engine version: 0.105.1
Scanned directories: 4
Scanned files: 34
Infected files: 24
Data scanned: 25.70 MB
Data read: 18.47 MB (ratio 1.39:1)
Time: 250.429 sec (4 m 10 s)
Start Date: 2023:01:04 08:02:40
End Date:   2023:01:04 08:06:51

Verify image integrity

IMAGE="quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2"

cosign verify "${IMAGE}" | jq
cosign verify "${IMAGE}" | jq -r '.[].optional| .Issuer + " | " + .Subject + " | " + .githubWorkflowRef + " | https://rekor.tlog.dev/?logIndex=" + (.Bundle.Payload.logIndex|tostring)'
cosign triangulate "${IMAGE}"
cosign tree "${IMAGE}"
cosign verify-attestation --type cyclonedx "${IMAGE}" | jq '.payload |= @base64d | .payload | fromjson'
cosign verify-attestation --type slsaprovenance "${IMAGE}" | jq '.payload |= @base64d | .payload | fromjson'

Local tests

Container build:

docker build . -t malware-cryptominer-container

Run container and download the malware file:

docker run -it --rm -p 8080:8080 malware-cryptominer-container

wget http://localhost:8080/eicar/eicar.com

Debug container:

docker run -it --rm --entrypoint=/bin/sh --user root -p 8080:8080 malware-cryptominer-container

Run in Kubernetes:

kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2

Tag summary

Content type

Image

Digest

sha256:45d96823f

Size

21.1 MB

Last updated

4 days ago

docker pull peru/malware-cryptominer-container