1.
Using Containers to Fight Malware
Dan Lambright
Storage System Software Developer
Adjunct Professor University of Massachusetts Lowell
Aug. 23, 2016

2.
RED HAT2
● Malware on Linux
● Explore how containers can fight malware
○ Static analysis
○ Dynamic and forensic analysis
● Evaluation - where containers help
Overview

3.
RED HAT3
● Linux’s pervasiveness creates large attack surface
○ 66% of webservers, Android, IoT...
● Recent vulnerabilities
○ Shellshocked, Heartbleed, Linux.lady
● This talk’s focus
○ Destination environment is Linux OS
○ Not container vulnerability scanning
The Problem
Explore where containers help
“Linux lady” attack
http://www.theregister.co.uk/2016/08/11/linux_malware_never_ok_just_this_once_then_if_we_must/

4.
RED HAT4
● sample : program to analyze
● Static analysis : look for signs of malware without running sample
○ virustotal.com, ClamAV
● Dynamic analysis : run sample in “sandbox”
○ cuckoobox, Limon
○ useful after an attack, or to test the unknown
● Forensics : post run analysis of RAM
○ Volatile , YARA rule language
Malware Analysis
Vocabulary

5.
CONTAINERS AND STATIC ANALYSIS

6.
RED HAT
● De-obfuscate sample (compressed, packed, etc)
● Search for Known bad strings...
● .. Or Suspicious strings, e,g signs of phishing
● Keep Database of known attacks
○ Online (virustotal.com)
○ Local DB with frequent updates
Static analysis
Defensive steps

7.
RED HAT7
● Can interpret many file formats
○ zip, RAR, IMG, ...
● Daemon can queue files to be scanned
● Control path exposed on port 3310
ClamAV
Open source Virus detection

8.
RED HAT8
● Deliver sample to scanner…
○ Move sample to shared directory with unique name, start job
○ Send SCAN command to daemon, with path to sample
● Database is kept in persistent place/shared file, periodically updated
● Demo
Containerization of ClamAV
Workflow

9.
INSERT DIVIDER COPY

10.
RED HAT
● Portable? Yes
● Lightweight? Yes
● Easy orchestration? Yes
● Solves static analysis problem? Yes
● A win :)
● But static analysis won't help with zero day attacks
Evaluation
Do static analysis with containers

11.
CONTAINERS AND DYNAMIC
ANALYSIS

12.
RED HAT
● Capture network activity, system events
● Run sample in sandbox for “some time”
● Avoid malware learning of sandbox and hiding
● Is dynamic analysis automated?
○ Often helps human analyst rather than become a substitute
○ Capable of finding clear violations
Dynamic Analysis
Defensive steps

13.
RED HAT
● “Volatility” tool : run YARA scripts
● Process information
○ Find hidden processes
○ Obtain memory maps, open files
● Code injection : Malfind module
● Network information
○ Netfilter (NAT), ARP tables, routing tables, network interfaces, sockets,
● Keyboard notifiers
Forensic Analysis
Analysis of RAM after running sample

14.
RED HAT14
● Research tool written by Monnappa KA
○ Presented at BlackHat 2015
● Does static, dynamic, and forensic analysis
● Sample runs in virtualbox VM
● VM memory is captured and analyzed
Limon Sandbox
Automating malware analysis

15.
RED HAT15
● Limon is command driven, (could run in a kubernetes job)
● Limon’s interface to sandbox is modular
○ Replace interfaces to virtualbox to instead drive containers
● Create a sandbox container?
○ Nope, let us review why..
Containerization of Limon Sandbox
Limon Sandbox
Container
How to containerize Limon, the sandbox, and how they communicate

16.
RED HAT
● Running strace inside container requires privileged mode..
○ Attach to process from outside container
● The container does not run the services that are expected
● Releasing malware’s packets to internet is undesirable!
● Inetsim
○ Sets up ”fake Internet” to fool malware - simulates network services
○ Containers don't run these services
○ A “fake network” outside container defeats portability
Syscalls and Network traffic
Problem: Sandboxing net traffic and capturing system events

17.
RED HAT
● How to capture memory of container’s process tree
● Misses kernel state
● Not so useful..
Memory Analysis in Limon Sandbox
Problem: capturing memory from a container

18.
RED HAT
root@1b877648a4e2 /]# cat /proc/self/cgroup|grep device
7:devices:/system.slice/docker-1b877648a4e2fb533b2bbf4db186ada4103629909a60c88d29d849a1429a7670.scope
[root@1b877648a4e2 /]# ls /.*
/.dockerenv /.dockerinit
Detection
Problem: Attacker can discover if running in container and be evasive

19.
RED HAT
● Portable? Yes
● Lightweight? Yes
● Easy orchestration? Yes
● Solves problem? No..
○ Malware could deliberately trigger a kernel bug
○ Containers differ from machine the sample targets
○ etc
● Can we try anything else?
Evaluation
Run sample in container

20.
RED HAT20
● RancherOS runs OS system services in a container
○ udev , Console, etc
● In such a container, can run qemu
● Result: a VM managed as a container
● inherits ecosystem (orchestration, process management)
○ demo
“Containerized VMs”
RancherOS: “An OS running in a container”

21.
INSERT DIVIDER COPY

22.
RED HAT22
● Make our own RancherOS image
○ Monitoring utilities
○ Customize VM to resemble target
● Similar to existing VM based sandboxes
○ Syscalls + network capture
○ Detection problem
Dynamic Analysis on “Containerized VM”
Working with Limon

23.
RED HAT
● Can get gcore of qemu process
● Volatility must know image format of the VM rancherOS started
● demo
Forensics on “Containerized VM”
Memory analysis

24.
INSERT DIVIDER COPY

25.
RED HAT25
● Each job starts a pod containing Limon and RacherOS sandbox
● Pod can load balanced across nodes etc.
Orchestration of “Containerized VM”
RacherOS + Limon + Kubernetes
Limon RancherOS
Container
pod

26.
RED HAT
● Portable? Mostly (may need to enable nested virtualization, KVM, … )
● Lightweight? No.. long startup time, VM needs resources
● Easy orchestration? Yes
● Solve the problem? Almost
○ Can quickly spin up environment to generate data for human analysis
○ Immature tools: there is no support for all Linux versions
Evaluation
Run sample in “containerized VM”

27.
RED HAT
● Cuckoobox + RancherOS + Kubernetes
● Windows malware detection
● Run HIDS (OSSEC) in sandbox
Future Experiments
More ways containers might fight malware

28.
RED HAT28
● Use containers for static analysis
● Improve dynamic analysis tools
○ Better automate detection of troublesome signs
Conclusion

29.
THANK YOU
plus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews

30.
RED HAT30
● Email attachments
● Scams
● Bogus links
● Exploited bugs in legacy software
● Trojan horses
Attack Vectors

31.
RED HAT
Other containerized security tools

32.
RED HAT32
● Google’s V8 JavaScript engine for JavaScript deobfuscation: remnux/v8
● CRITs collaborative malware and threat repository: remnux/crits
● Thug low-interaction honeyclient: remnux/thug
● Viper binary analysis and management framework: remnux/viper
● Rekall memory forensic framework: remnux/rekall
● JSDetox JavaScript analysis tool for deobfuscation: remnux/jsdetox
● Radare2 reverse-engineering framework and disassembler: remnux/radare2
● Pescanner static malware analysis tool for Windows PE files: remnux/pescanner
● The Volatility Framework for memory forensics: remnux/volatility
● MASTIFF static analysis framework for suspicious files: remnux/mastiff
● Maltrieve for retrieving malware samples: remnux/maltrieve
● Metasploit Framework for attack simulation: remnux/metasploit
●
Other containerized tools
REMnux tools

33.
RED HAT33
● Running strace inside container requires privileged mode..
○ Attach to process from outside container
● The container does not run the services that sysdig or strace expect
Syscalls in Limon sandbox
Problem: capturing events using strace+sysdig in a container sandbox

34.
BACKUP SLIDES

35.
TABLES WITH ACTUAL SPACE
MEASURES

36.
RED HAT
Sample chart template
Compaction Brick 1 Brick 2 Brick 3 Brick 4
off 42.0430 42.0430 17.4258 17.5156
manual 42.5117 42.5117 16.9180 16.9180
full 42.1953 42.1992 17.4336 17.4336
incremental 42.1836 12.1836 17.4453 17.4453
36
Create Files
Space: Measurements in MB

37.
RED HAT
Sample chart template
Compaction Brick 1 Brick 2 Brick 3 Brick 4
off 42.1211 42.1914 17.4688 17.4844
manual 10.3516 10.3516 0.6133 0.6133
full 0.0234 0.0234 0.0234 0.0234
incremental 42.1875 42.0703 17.4336 17.4336
37
Create and Delete Files
Space: Measurements in MB

38.
RED HAT
Sample chart template
Compaction Brick 1 Brick 2 Brick 3 Brick 4
off 55.6953 55.5898 19.2344 19.2344
manual 49.3712 49.3750 14.9102 14.9102
full 55.5859 55.5859 18.5508 18.5508
incremental 55.4883 55.4844 19.313 19.313
38
Create and Rename Files
Space: Measurements in MB

39.
RED HAT
Sample chart template
Compaction Brick 1 Brick 2 Brick 3 Brick 4
off 42.9336 42.9375 17.4570 17.4570
manual 43.3555 43.3555 16 16
full 43.0195 43.0117 17.0313 17.0313
incremental 42.9961 43.0039 17.5234 17.5195
39
Create Files and Symbolic Links
Space: Measurements in MB

40.
TEMPLATE SLIDES

41.
RED HAT
/* Code was here, but now it is gone */
41
CODE SNIPPET
When referencing code snippets, use the template below.
Resize the snippet box to the appropriate size for your text.

42.
INSERT DESIGNATOR, IF NEEDED
Sample chart template
Sample chart template
VALUE VALUE VALUE VALUE
value value value value
value value value value
value value value value
42
TABLES
VALUE VALUE VALUE VALUE
value value value value
value value value value
value value value value
Using the table tool in Google Slides, you can create basic tables for your presentation.
Make sure to use only corporate and secondary colors.

43.
RED HAT43
Insert paragraph of copy here. Do not exceed 40 words.
● Bullet
● Bullet
● Bullet
CLICK TO ADD TITLE
Click to add subtitle

44.
RED HAT
Click to add text
44
CLICK TO ADD TITLE
Click to add subtitle

45.
RED HAT45
When creating charts,
graphs, and tables use
the corporate and
secondary color palettes
with no more than one
accent color.
CORPORATE
SECONDARY
ACCENT (Use these colors sparingly.)
BRAND COLORS
Use ONLY the colors outlined below in your presentation.
PMS 1797
2 98 85 2
204 0 0
#CC0000
PMS 1805
2 98 85 22
163 0 0
#A30000
PMS 1815
2 98 85 42
130 0 0
#820000
RICH BLACK
60 40 40 100
0 0 0
#000000
WHITE
0 0 0 0
255 255 255
#FFFFFF
PMS 3035
100 25 18 72
0 65 83
#004153
PMS 2975
35 0 6 0
163 219 232
#A3DBE8
DARK GRAY
0 0 0 85
76 76 76
#4C4C4C
LIGHT GRAY
0 0 0 15
220 220 220
#DCDCDC
PMS 2685
92 100 0 10
59 0 131
#3B0083
PMS 130
0 30 100 0
240 171 0
#F0AB00
PMS 7474
98 7 30 30
0 122 135
#007A87
PMS 306
79 0 6 5
0 185 228
#00B9E4
PMS 375
47 0 94 0
146 212 0
#92D400