Docker Containers for Malware Analysis

Similar documents
Intro to Docker and Containers

Platform as a Service and Container Clouds

Building a Continuous Integration Pipeline with Docker

Intro to Docker for CMS

Linstantiation of applications. Docker accelerate

Creating a DUO MFA Service in AWS

CS197U: A Hands on Introduction to Unix

How Bigtop Leveraged Docker for Build Automation and One-Click Hadoop Provisioning

Using Docker in Cloud Networks

The Virtualization Practice

OS Installation: CentOS 5.8

How To Install Project Photon On Vsphere 5.5 & 6.0 (Vmware Vspher) With Docker (Virtual) On Linux (Amd64) On A Ubuntu Vspheon Vspheres 5.4

OpenGeo Suite for Linux Release 3.0

HOW TO BUILD A VMWARE APPLIANCE: A CASE STUDY

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

Copyright. Robert Sandoval

Continuous Integration for XML and RDF Data

Getting Started Using Project Photon on VMware Fusion/Workstation

Linux & Docker auf Azure

Working with Docker on Microsoft Azure

Computer Science and Engineering Linux Cisco VPN Client Installation and Setup Guide

Docker Containers. Marko Ambrož, Žiga Hudolin Ministrstvo za javno upravo DIREKTORAT ZA INFORMATIKO

Rebuild Perfume With Python and PyPI

Dry Dock Documentation

BACKUP YOUR SENSITIVE DATA WITH BACKUP- MANAGER

Chris Rosen, Technical Product Manager for IBM Containers, Lin Sun, Senior Software Engineer for IBM Containers,

Installation & Upgrade Guide

Network Virtualization Tools in Linux PRESENTED BY: QUAMAR NIYAZ & AHMAD JAVAID

Cassandra Installation over Ubuntu 1. Installing VMware player:

1. Install a Virtual Machine Download Ubuntu Ubuntu LTS Create a New Virtual Machine... 2

Partek Flow Installation Guide

ISLET: Jon Schipp, Ohio Linux Fest An Attempt to Improve Linux-based Software Training

Docker : devops, shared registries, HPC and emerging use cases. François Moreews & Olivier Sallou

Secure your Docker images

Theorist HT Induc0on Course Lesson 1: Se6ng up your new computer (Mac OS X >= 10.6) As of 9/27/2012

My name is Robert Comella. I am a SANS Technology Institute (STI) student who is nearly finished with my master of science in engineering degree.

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

Local Caching Servers (LCS): User Manual

Over 30% of Official Images in Docker Hub Contain High Priority Security Vulnerabilities

depl Documentation Release depl contributors

The BackTrack Successor

Basic Linux & Package Management. Original slides from GTFO Security

Cross-Platform ASP.NET 5 For the Cloud. Anthony Sneed

Computer Systems and Networks. ECPE 170 Jeff Shafer University of the Pacific. Linux Basics

Tutorial. Reference for more thorough Mininet walkthrough if desired

Acronis Backup & Recovery 10 Server for Linux. Update 5. Installation Guide

1. Install a Virtual Machine Download Ubuntu Ubuntu LTS Create a New Virtual Machine... 2

What Does Tequila Have to Do with Managing Macs? Using Open Source Tools to Manage Mac OS in the Enterprise!

IMPLEMENTATION OF CIPA - PUDUCHERRY UT SERVER MANAGEMENT. Client/Server Installation Notes - Prepared by NIC, Puducherry UT.

Hadoop Lab - Setting a 3 node Cluster. Java -

IT6204 Systems & Network Administration. (Optional)

UTILIZING THE PORTABILITY OF DOCKER TO DESIGN A PORTABLE AND SCALABLE CONTINUOUS INTEGRATION STACK

UBUNTU VIRTUAL MACHINE + CAFFE MACHINE LEARNING LIBRARY SETUP TUTORIAL

QEMU-KVM + D-System Monitor Setup Manual

The Definitive Guide To Docker Containers

Contents Set up Cassandra Cluster using Datastax Community Edition on Amazon EC2 Installing OpsCenter on Amazon AMI References Contact

Cloud Security with Stackato

WHITEPAPER INTRODUCTION TO CONTAINER SECURITY. Introduction to Container Security

Docker on OpenStack. August Author : Nitin Agarwal nitinagarwal3006@gmail.com. Supervisor(s) : Belmiro Moreira

1 Recommended Readings. 2 Resources Required. 3 Compiling and Running on Linux

Installation of PHP, MariaDB, and Apache

Remote Desktop With P2P VNC

Spectrum Spatial Analyst Version 4.0. Installation Guide for Linux. Contents:

LSN 10 Linux Overview

Acronis Backup & Recovery 10 Server for Linux. Installation Guide

STRATEGIC WHITE PAPER. The next step in server virtualization: How containers are changing the cloud and application landscape

A SHORT INTRODUCTION TO DUPLICITY WITH CLOUD OBJECT STORAGE. Version

Setting up PostgreSQL

Recommended File System Ownership and Privileges

RED HAT CONTAINER STRATEGY

Steps for running C-program

User Manual of the Pre-built Ubuntu 9 Virutal Machine

SNPsyn documentation. Release 1.1b. Tomaž Curk Gregor Rot Davor Sluga Uroš Lotrič Blaž Zupan

Step One: Installing Rsnapshot and Configuring SSH Keys

From Zero to Secure in 1 Minute

Version Control with Subversion and Xcode

NoMachine Enterprise Products, Cloud Server Installation and Configuration Guide

Hosted Connecting Steps Client Installation Instructions

Intel IoT Gateways: Publishing Data to an MQTT Broker Using Python

Student installation of TinyOS

Local File Sharing in Linux

Type-C Ubuntu Product & Strategy Canonical Ltd.

Try Linux: Brief Guide for Rookies

Introduction to CloudScript

CSE 265: System and Network Administration. CSE 265: System and Network Administration

APPLICATION NOTE. How to build pylon applications for ARM

Cloud Implementation using OpenNebula

Release Notes for McAfee(R) VirusScan(R) Enterprise for Linux Version Copyright (C) 2014 McAfee, Inc. All Rights Reserved.

FirstClass Synchronization Services Install Guide

MySQL Backups: From strategy to Implementation

Installing QuickBooks Enterprise Solutions Database Manager On Different Linux Servers

AWS Command Line Interface. User Guide

Installing MooseFS Step by Step Tutorial

Virtual Machine (VM) For Hadoop Training

Mercury User Guide v1.1

ARMSDK-VM Virtual Appliance A preconfigured Linux system

Containers, Docker, and Security: State of the Union

Installation Guide. McAfee VirusScan Enterprise for Linux Software

Building a Private Cloud Cloud Infrastructure Using Opensource

Transcription:

Docker Containers for Malware Analysis Lenny Zeltser Senior Faculty Member, SANS Institute Product Management Director, NCR Corp Get these slides now at https://zeltser.com/media/archive/docker.pdf

Lots of awesome malware analysis tools run on Linux. Should you run them on your primary system? Use the REMnux distro for easier set up? Containers offer another convenient option. 2

Docker containers offer a nice app packaging and distribution mechanism. Each application has its own runtime environment. More lightweight than full-fledged virtualization, but weaker isolation. Rich ecosystem for building, distributing and running apps as containers. 3

What Are Docker Application Containers? 4

Docker is software and an ecosystem for application containers. Docker software runs best on Linux, but also works fine on Windows and OS X. 5

Docker maintains the Docker Hub Registry of public app images. For instance, you can easily launch a transient instance of an Ubuntu container. Remove container when done Make container interactive Run bash inside the container 6

A Docker image of an app contains the software and its dependencies. For example, you can easily launch the Thug honeyclient container. Docker automatically downloads the image. 7

A container gets its own file system, process listing and network stack. However, containers share the OS kernel with each other and the underlying host. 8

Malware analysis apps as Docker containers offer several benefits. Apps with conflicting dependencies can run on the same host. No unwanted files lying around after you re done with the analysis. Some level of isolation around the analysis application container. 9

We Just Discussed Docker Application images Application containers Installing Docker Launching an app container Advantages of containers 10

Running and Interacting with Docker Containers 11

The REMnux project provides several Docker images. Examine websites and scripts: remnux/thug, remnux/jsdetox, remnux/v8 Process multiple samples: remnux/mastiff, remnux/maltrieve Research threats: remnux/viper, remnux/crits Examine memory: remnux/rekall, remnux/volatility Analyze code: remnux/radare2 https://remnux.org/docs/containers/run-apps 12

Use -v to map the host s directory into the container. First create the directory on the underlying host and make it world-accessible. 13

The use of containers encourages separating code from data. Store data on your underlying host while running apps in transient environments. 14

15

Use -p to access network ports within a container. Expose container s TCP port 9090 to interact with the application from localhost.

Use ps to show running containers and stop to stop them. You can refer to the container using its ID or its easier-to-type name. Docker automatically removes this container after it is stopped, because we launched it with the --rm parameter. 17

Docker containers aren t isolated as strongly as virtual machines. The OS kernel is shared among containers and with the underlying host. Containers don t receive their own user namespaces, but Docker is working to fix this. Presently, root processes in containers interact with the kernel with root privileges. 18

We Just Discussed REMnux collection of images Sharing directories with containers Separating code from data Mapping network ports Limitations of container isolation 19

Building and Your Own Docker Images 20

A Dockerfile contains instructions for building a new Docker image. Use an existing image as a starting point. Document instructions for downloading, compiling and configuring the application. Commands must work without user interaction. Look at other Dockerfiles to start learning. Test commands manually by running them in sudo docker run --rm -it ubuntu:14.04 bash. https://registry.hub.docker.com/u/remnux/thug/dockerfile 21

Docker images in the REMnux collection start from ubuntu:14.04. Start with apt-get update, then install only the packages required by the software. FROM ubuntu:14.04 MAINTAINER Lenny Zeltser (@lennyzeltser, www.zeltser.com) USER root RUN apt-get update && \ apt-get install -y --no-install-recommends \ python2.7 \ python2.7-dev \ python-html5lib \ 22

Docker stacks read-only file system images to form an image. A union mount allows multiple file systems to be mounted and appear as a single file system. Thug V8, Python, libemu, ssdeep, etc. Ubuntu 14.04 23

Images based on the same layers occupy less disk space. 24

Balance efficiency and readability when crafting the Dockerfile. Chain commands into a single RUN instruction to remove files before a layer is committed. rm -rf /var/lib/apt/lists/* && \ pip install -q jsbeautifier \ rarfile \ beautifulsoup4 \ pefile \ six && \ groupadd -r thug && \ useradd -r -g thug -d /home/thug -s /sbin/nologin -c "Thug User" thug 25

Avoid saving files to the file system to help minimize disk space. Don t bother removing files after the layer has been already committed (e.g., apt-get clean ). curl -SL http:// /files/ssdeep-2.12/ssdeep-2.12.tar.gz/download \ tar -xzc. && \ cd ssdeep-2.12 && \./configure && \ make install && \ cd.. && \ rm -rf ssdeep-2.12 && \ BUILD_LIB=1 pip install ssdeep && \ chown -R thug:thug /home/thug 26

Don t run commands as root unless you really need to. That s why we created user thug. Use USER to specify which user account to use for subsequent commands. Understand ENV, WORKDIR and CMD Dockerfile directives. USER thug ENV HOME /home/thug ENV USER thug WORKDIR /home/thug/src CMD ["./thug.py"] 27

Use docker build to build the image out of the Dockerfile. Assign it a name using -t=image-name. 28

Use docker images and docker rmi to list and remove images. 29

Share your images via the public Docker Hub registry. Create a repository on registry.hub.docker.com Save images to the repository using the docker push command. Better yet store your Dockerfile files on Github or BitBucket and create an Automated Build. 30

We Just Discussed File system layers Dockerfile syntax Optimizing image size Building an app image Listing and removing images Sharing your images 31

Conclusions and Wrap-Up 32

Docker containers offer a convenient app distribution mechanism. Containers are growing in popularity. They will follow an evolution path similar to that virtualization and VLANs. The REMnux collection provides several images useful for malware analysis. Experiment, learn, contribute. https://remnux.org/docs/containers/malware-analysis 33

If interested in malware analysis, take a look at the FOR610 course at SANS. Visit LearnREM.com Course offered at SANS conferences and on-line 10% discount code SANSLZ @lennyzeltser and zeltser.com Download and these slides from https://zeltser.com/media/archive/docker.pdf 34

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information