Scan running processes as well as running container filesystem

[ogarrett]

It's common for malware installed through a runtime compromise to delete itself from the filesystem once the malware process has started, to make detection of the malware difficult. Filesystem scans will not find the malware.

For example, a Wordpress honeypot container attracted a crypto miner which was installed in /var/www/html/wp-content/themes/twentytwentyone/xmra64, started as pid 8823, and then deleted:

$ sudo cat /proc/8823/maps
00400000-00401000 r--p 00000000 fc:01 1303258                            /var/www/html/wp-content/themes/twentytwentyone/xmra64 (deleted)
00401000-0065b000 r-xp 00001000 fc:01 1303258                            /var/www/html/wp-content/themes/twentytwentyone/xmra64 (deleted)
0065b000-006de000 r--p 0025b000 fc:01 1303258                            /var/www/html/wp-content/themes/twentytwentyone/xmra64 (deleted)
006de000-006ec000 rw-p 002dd000 fc:01 1303258                            /var/www/html/wp-content/themes/twentytwentyone/xmra64 (deleted)

YaRadare scans of the container filesystem did not detect anything untoward.

The running application binary was captured and scanned as follows:

$ sudo cat /proc/8823/map_files/400000-401000 > /tmp/xmra64/a.out.1
$ sudo cat /proc/8823/map_files/401000-65b000 > /tmp/xmra64/a.out.2
$ sudo cat /proc/8823/map_files/65b000-6de000 > /tmp/xmra64/a.out.3
$ sudo cat /proc/8823/map_files/6de000-6ec000 > /tmp/xmra64/a.out.4
$ docker run -it --rm -v /tmp/xmra64:/tmp/xmra64 oweng/deepfence-yaradare:latest --local /tmp/xmra64

YaRadare scans of these files identified the crypto miner:

    {
      "Matched Rule Name": "XMRIG_Miner",
      "Strings to match are":
            "stratum+tcp",
      "Category": [],
      "File Name": "/tmp/xmra64/a.out.1",
      "ref": https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e
      "Summary": The matched rule file's  ref  is https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e .,
    }
    {
      "Matched Rule Name": "XMRIG_Miner",
      "Strings to match are":
            "stratum+tcp",
      "Category": [],
      "File Name": "/tmp/xmra64/a.out.2",
      "ref": https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e
      "Summary": The matched rule file's  ref  is https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e .,
    }
    {
      "Matched Rule Name": "XMRIG_Miner",
      "Strings to match are":
            "stratum+tcp",
      "Category": [],
      "File Name": "/tmp/xmra64/a.out.3",
      "ref": https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e
      "Summary": The matched rule file's  ref  is https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e .,
    }
    {
      "Matched Rule Name": "XMRIG_Miner",
      "Strings to match are":
            "stratum+tcp",
      "Category": [],
      "File Name": "/tmp/xmra64/a.out.4",
      "ref": https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e
      "Summary": The matched rule file's  ref  is https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e .,
    }