Introducing YaRadare — malware detection in cloud-native applications
deep fence YaRadare (“Ya-Radar”) scans container images, running Docker containers, and file systems for indicators of malware. He uses a YARA Rule Set to identify resources that match known malware signatures and may indicate that the container or filesystem has been compromised.
YaRadare can be used to detect malware in cloud-native applications in the following ways:
- At rest: scan local container images, before deployment, to verify that they do not contain malware
- During the execution: Analyze running Docker containers, if, for example, you observe unusual network traffic or CPU activity
- Against file systems: at any time, YaRadare can scan a local directory or file system for indicators of compromise
YaRadare is fully open source (Apache v2 license) and can be used with a wide range of publicly available and private YARA rulesets. You can find it at https://github.com/deepfence/YaRadare – please check it out!
YaRadare Futures Contracts
We have a broad roadmap for the project, to cover a set of scenarios where malware can be added to a cloud-native app or service:
- Supply chain poisoning: A malicious actor injects malware into upstream images. A developer unwittingly includes these images in application builds, and the resulting build artifacts are deployed to production or shipped to other users.
- Malicious deployment: A user compromises the deployment process of an application, for example by creating a malicious admission controller or an init script that injects malware into an application image during deployment.
- Execution compromise: An attacker exploits a vulnerability or weak configuration in a running application, such as log4j, to install malicious tools.
YaRadare will operate in 4 stages of the life cycle of an application image:
Lifecycle Stage: Build and Test
- Aptitude: CI/CD integration. Test images during build to identify malware-like components in
- Objective: To detect and block supply chain poisoning
- Status: Back
Life cycle stage: containers at rest
- Aptitude: Analyze container images “at rest”, supporting various public and private registries
- Objective: Detecting Evidence of Supply Chain Poisoning
- Status: Supported for local containers (pulled from the remote registry); Backlog: direct analysis of containers in remote registries
Lifecycle Stage: During Deployment
- Aptitude: Kubernetes admission controller (or equivalent). Inspect workloads at deployment time and block images that don’t meet standards
- Objective: Final backstop for supply chain poisoning checks; identify certain instances of malicious deployment
- Status: Back
Lifecycle Stage: At Runtime
- Aptitude: Inspect running containers for the presence of malware-like components
- Objective: Detect execution trade-offs
- Status: Docker support (file system images); Backlog: Kubernetes support; Backlog: in-memory analysis
To help us achieve our roadmap, a number of backlog issues are marked as “help needed”. We would particularly appreciate contributions in these areas, as the abilities they unlock will have the greatest impact for the community as a whole.
YaRadare in action
Let’s see YaRadare in action. We will create the tool and then analyze a crypto-mining container using a YARA ruleset.
YaRadare is a standalone docker-based tool, hosted at https://github.com/deepfence/YaRadare. Clone this repository, then create:
docker build --rm=true --tag=deepfenceio/deepfence-yaradare:latest
-f Dockerfile .
Alternatively, you can grab the “official” deepfence image at deepfenceio/deepfence-yaradare:latest.
Find indicators of compromise in a container image
Images can be compromised by installing a range of different malware tools. A common compromise involves installing a cryptominer such as XMRig, allowing the attacker to acquire compute cycles for cryptocurrency mining purposes.
In the following example, we will analyze a legitimate cryptominer image that contains xmrig software similar to that often installed via an exploit:
docker pull metal3d/xmrigdocker run -it --rm --name=deepfence-yaradare -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/home/deepfence/output deepfenceio/deepfence-yaradare:latest --image-name metal3d/xmrig:latest --json-filename=xmrig-scan.json
This returns, among other things, a clear indication of the presence of XMRig. Note that we store the output (/tmp/xmrig-scan.json) for quick and easy handling:
# Extract the IOC array values. From these, extract the values of the ‘Matched Rule Name’ key cat /tmp/xmrig-scan.json | jq '.IOC | ."Matched Rule Name"' "XMRIG_Miner" "XMRIG_Miner" "Cerberus" "XMRIG_Miner" "XMRIG_Miner" "XMRIG_Miner" "Cerberus" "XMRIG_Miner"
This returns a list of possible IOCs identified in the container we scanned.
How will Deepfence use YaRadare?
We are committed to offering YaRadare as an open source project to the community at large. YaRadare relies on the work of thousands of security researchers and community members who developed the YARA toolset and rules that detect a wide range of malware. Our role in the security community is to take their work one step further, presenting it in a way that makes it easy for others to use it to address specific challenges. In this case, we seek to help users secure their cloud-native applications against malware that can result from a supply chain compromise, malicious deployment, or runtime exploitation.
YaRadare is, and always will be, 100% open source. Like everyone else Deepfence Open Source Projects, there are no hidden limitations; no restrictions on the number of analyzes or the size of the infrastructure. We do not require registration, do not collect information that compromises privacy. The users who use our solutions are not our “product”.
Together, the security community has an ethical imperative to work together to build a safer digital experience for all; fully accessible and can be provided by every business and application developer. Deepfence is proud to be part of this movement.