The New Stack Icon The New Stack

New cryptojacking worm found in docker containers  ↦

Jack Wallen:

A new cryptojacking worm, named Graboid, has been spread into more than 2,000 Docker hosts, according to the Unit 42 researchers from Palo Alto Networks. This is the first time such a piece of malware has spread via containers within the Docker Engine (specifically docker-ce).

Scary stuff, and (at the moment) difficult to detect & prevent:

We’ve reached a point with containers where security must be constantly on the front burner. Antivirus and anti-malware applications currently have no means of analyzing and cleaning containers and container images. That’s the heart of the issue.

Graboid may be the first malware to target containers, but it certainly won’t be the last.


Discussion

Sign in or Join to comment or subscribe

2019-10-27T19:38:44Z ago

Would Singularity prevent this?

Jerod Santo

Jerod Santo

Omaha, Nebraska

Jerod co-hosts The Changelog, crashes JS Party, and takes out the trash (his old code) once in awhile.

2019-10-28T13:44:12Z ago

Great question. @gmkurtzer what say ye?

Gregory Kurtzer

Gregory Kurtzer

Berkeley, CA

Gregory M. Kurtzer is the CEO and founder of Sylabs Inc., the company behind the open source container project Singularity. Sylabs caters to the needs of various compute based workflows like traditional simulation, data science, real time analytics, and AI use-cases. Previously, Greg has spent most of his career enabling massive scale compute focused use cases where he created and led various open source projects along that mission, including the Warewulf cluster management toolkit, CentOS Linux, and most recently, the container system Singularity.

2019-10-28T16:04:42Z ago

Hi, and thanks for thinking of myself and Singularity. Singularity is not affected to the worm part of the malicious code, but the container does startup some processes within that Singularity may allow. That is because they threw some system commands (e.g. /var/sbin/bash) that is actually a script that does some additional things before exec’ing Bash.

It comes down to trusting your containers. My answer is that you don’t even have all of the information to know if a container can be trusted without Singularity’s cryptographic layered signatures. They are simple to use, easy to manage, and easy to share.

The idea of trusting any software someone downloads from the internet without a signature is quite ludicrous by today’s standards. CentOS, would have been mocked, even back in 2003, if we didn’t sign all packages with a trusted key. The fact that we do this with containers every day, and run those untrusted containers on production servers, AS ROOT, is kinda funny if you think about it.

0:00 / 0:00