Home Cd software Introducing YaRadare – Security Boulevard

Introducing YaRadare – Security Boulevard


Like a snake, malware can hide anywhere. picture by Sagar Paranjape on Unsplash

Introducing YaRadare — malware detection in cloud-native applications

deep fence YaRadare (“Ya-Radar”) scans container images, running Docker containers, and file systems for indicators of malware. He uses a YARA Rule Set to identify resources that match known malware signatures and may indicate that the container or filesystem has been compromised.

YaRadare can be used to detect malware in cloud-native applications in the following ways:

  • At rest: scan local container images, before deployment, to verify that they do not contain malware
  • During the execution: Analyze running Docker containers, if, for example, you observe unusual network traffic or CPU activity
  • Against file systems: at any time, YaRadare can scan a local directory or file system for indicators of compromise

YaRadare is fully open source (Apache v2 license) and can be used with a wide range of publicly available and private YARA rulesets. You can find it at https://github.com/deepfence/YaRadare – please check it out!

YaRadare Futures Contracts

We have a broad roadmap for the project, to cover a set of scenarios where malware can be added to a cloud-native app or service:

  • Supply chain poisoning: A malicious actor injects malware into upstream images. A developer unwittingly includes these images in application builds, and the resulting build artifacts are deployed to production or shipped to other users.
  • Malicious deployment: A user compromises the deployment process of an application, for example by creating a malicious admission controller or an init script that injects malware into an application image during deployment.
  • Execution compromise: An attacker exploits a vulnerability or weak configuration in a running application, such as log4j, to install malicious tools.

YaRadare will operate in 4 stages of the life cycle of an application image:

Lifecycle Stage: Build and Test

  • Aptitude: CI/CD integration. Test images during build to identify malware-like components in
  • Objective: To detect and block supply chain poisoning
  • Status: Back

Life cycle stage: containers at rest

  • Aptitude: Analyze container images “at rest”, supporting various public and private registries
  • Objective: Detecting Evidence of Supply Chain Poisoning
  • Status: Supported for local containers (pulled from the remote registry); Backlog: direct analysis of containers in remote registries

Lifecycle Stage: During Deployment

  • Aptitude: Kubernetes admission controller (or equivalent). Inspect workloads at deployment time and block images that don’t meet standards
  • Objective: Final backstop for supply chain poisoning checks; identify certain instances of malicious deployment
  • Status: Back

Lifecycle Stage: At Runtime

  • Aptitude: Inspect running containers for the presence of malware-like components
  • Objective: Detect execution trade-offs
  • Status: Docker support (file system images); Backlog: Kubernetes support; Backlog: in-memory analysis

To help us achieve our roadmap, a number of backlog issues are marked as “help needed”. We would particularly appreciate contributions in these areas, as the abilities they unlock will have the greatest impact for the community as a whole.

YaRadare in action

Let’s see YaRadare in action. We will create the tool and then analyze a crypto-mining container using a YARA ruleset.

Build YaRadare

YaRadare is a standalone docker-based tool, hosted at https://github.com/deepfence/YaRadare. Clone this repository, then create:

docker build --rm=true --tag=deepfenceio/deepfence-yaradare:latest 
-f Dockerfile .

Alternatively, you can grab the “official” deepfence image at deepfenceio/deepfence-yaradare:latest.

Find indicators of compromise in a container image

Images can be compromised by installing a range of different malware tools. A common compromise involves installing a cryptominer such as XMRig, allowing the attacker to acquire compute cycles for cryptocurrency mining purposes.

In the following example, we will analyze a legitimate cryptominer image that contains xmrig software similar to that often installed via an exploit:

docker pull metal3d/xmrigdocker run -it --rm --name=deepfence-yaradare 
    -v /var/run/docker.sock:/var/run/docker.sock 
    -v /tmp:/home/deepfence/output 
    --image-name metal3d/xmrig:latest 

This returns, among other things, a clear indication of the presence of XMRig. Note that we store the output (/tmp/xmrig-scan.json) for quick and easy handling:

# Extract the IOC array values. From these, extract the values of the ‘Matched Rule Name’ key

cat /tmp/xmrig-scan.json | jq '.IOC[] | ."Matched Rule Name"'

This returns a list of possible IOCs identified in the container we scanned.

How will Deepfence use YaRadare?

We are committed to offering YaRadare as an open source project to the community at large. YaRadare relies on the work of thousands of security researchers and community members who developed the YARA toolset and rules that detect a wide range of malware. Our role in the security community is to take their work one step further, presenting it in a way that makes it easy for others to use it to address specific challenges. In this case, we seek to help users secure their cloud-native applications against malware that can result from a supply chain compromise, malicious deployment, or runtime exploitation.

YaRadare is, and always will be, 100% open source. Like everyone else Deepfence Open Source Projects, there are no hidden limitations; no restrictions on the number of analyzes or the size of the infrastructure. We do not require registration, do not collect information that compromises privacy. The users who use our solutions are not our “product”.

Together, the security community has an ethical imperative to work together to build a safer digital experience for all; fully accessible and can be provided by every business and application developer. Deepfence is proud to be part of this movement.

We would be delighted to receive your comments, contributions and suggestions. Please start with YaRadare GitHub repositoryand feel free to join Deepfence community margin.

The post office YaRadare Overview appeared first on deep fence.

*** This is a syndicated blog from the Security Bloggers Network of deep fence written by Owen Garrett. Read the original post at: https://deepfence.io/introducing-yaradare/