Malware In Docker For Mac

Posted on

One of the true benefits of being a SANS Internet Storm Center Handler is working with top notch security industry experts, and one such person is Lenny Zeltser. I’ve enjoyed Lenny’s work for many years; if you’ve taken SANS training you’ve either heard of or attended his GIAC Reverse Engineering Malware course and likely learned a great deal. You’re hopefully also aware of Lenny’s Linux toolkit for reverse-engineering and analyzing malware, REMnux. I covered REMnux in September 2010, but it, and the landscape, have evolved so much in the five years since. Be sure to grab the latest OVA and revisit it, if you haven’t utilized it lately. Rather than revisit REMnux specifically this month, I’ll draw your attention to a really slick way to analyze malware with Docker and specific malware-analysis related REMnux project Docker that Lenny’s created.

Lenny expressed that he is personally interested in packaging malware analysis apps as containers because it gives him the opportunity to learn about container technologies and understand how they might be related to his work, customers and hobbies. Lenny’s packaging tools that are “useful in a malware analysis lab, that like-minded security professionals who work with malware or forensics might also find an interesting starting point for experimenting with containers and assessing their applicability to other contexts.”. Docker can be utilized on Ubuntu, Mac OS X, and Windows, I ran it on the SANS SIFT 3.0 virtual machine distribution, as well as my Mac Mini. The advantage of Docker containers, per the What Is Docker page, is simple to understand. First, “Docker allows you to package an application with all of its dependencies into a standardized unit for software development.” Everything you need therefore resides in a container: “Containers have similar resource isolation and allocation benefits as virtual machines but a different architectural approach allows them to be much more portable and efficient.” The Docker Engine is just that, the source from whom all container blessings flow. It utilizes Linux-specific kernel features so to run it on Windows and Mac OS X, it will install VirtualBox and boot2docker to create a Linux VM for the containers to run on Windows and Mac OS X.

Windows Server is soon adding direct support for Docker with Windows Server Containers. In the meantime, if you’re going to go this extent, rather than just run natively on Linux, you might as well treat yourself to Kitematic, the desktop GUI for Docker. Read up on before proceeding if you aren’t already well informed. Most importantly, read. Lenny mentioned that he is not planning to use containers as the architecture for the REMnux distro, stating that “This distribution has lots of useful tools installed directly on the REMnux host alongside the OS. It's fine to run most tools this way. Before we dig in to REMnux Docker containers, I wanted to treat you to a very cool idea I’ve implemented after reading it on the as posted by Lenny.

He describes methods to install REMnux on a SIFT workstation, or SIFT on a REMnux workstation. I opted for the former because Docker runs really cleanly and natively on SIFT as it is Ubuntu 14.04 x64 under the hood. Installing REMnux on SIFT is as easy as wget -quiet -O - sudo bash, then wait a bit. The script will update APT repositories (yes, we’re talking about malware analysis but no, not that APT) and install all the REMnux packages. When finished you’ll have all the power of SIFT and REMnux on one glorious workstation. By the way, if you want to use the full REMnux distribution as your Docker host, Docker is already fully installed. Included in the REMnux container collection as of this writing you will find the V8 JavaScript engine, the low-interaction honeyclient, the Viper binary analysis framework, and memory forensic frameworks, the JSDetox JavaScript analysis tool, the Radare2 reverse engineering framework, the Pescanner static malware analysis tool, the MASTIFF static analysis framework, and the Maltrieve malware samples downloader.

This may well give you everything you possibly need as a great start for malware reverse engineering and analysis in one collection of Docker containers. I won’t discuss the Rekall or Volatility containers as toolsmith readers should already be intimately familiar with, and happily using, those tools. But it is mighty convenient to know you can spin them up via Docker. The first time you run a Docker container it will be automatically pulled down from the Docker Hub if you don’t already have a local copy. All the REMnux containers reside there, you can, as I did, start with ’s wicked good Maltrieve by executing sudo docker run -rm -it remnux/maltrieve bash.

MalwareMalware

Once the container is downloaded and ready, exit and rerun it with sudo docker run -rm -it -v /samples:/home/sansforensics/samples remnux/maltrieve bash after you build a samples directory in your home directory. Important note: the -v parameter defines a shared directory that the container and the supporting host can both access and utilized. Liken it to Shared Folders in VMWare.

Be sure to run sudo chmod a+xwr against it so it’s world readable/writeable. When all said and done you should be dropped to a nonroot prompt (a good thing), simply run maltrieve -d /home/sansforensics/samples/ -l /home/sansforensics/samples/maltieve.log and wait again as it populates malware samples to your sample directory, as seen in Figure 1, from the likes of Malc0de, Malware Domain List, Malware URLs, VX Vault, URLquery, CleanMX, and ZeusTracker. Next up, a look at the REMnux MASTIFF container.

“ is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats” from. I ran it as follows: sudo docker run -dns=my.dns.server.ip -rm -it -v /samples:/home/sansforensics/samples remnux/mastiff bash. You may want or need to replace -dns=my.dns.server.ip with your preferred DNS server if you don’t want to use the default 8.8.8.8. I found this ensured name resolution for me from inside the container. MASTIFF can call the VirusTotal API and submit malware if you configure it to do so with mastiff.conf, it will fail if DNS isn’t working properly. You need to edit mastiff.conf via vi with you API key and enable submit=yes.

Malware In Docker For Mac

Mac Docker Image

Also note that, when invoked with -rm parameters, the container will be ephemeral and all customization will disappear once the container exits. You can invoke the container differently to save the customization and the state. Lenny’s plans for the future include maintaining and enhancing the REMnux distro with the help of the Debian package repository he set up for this purpose with Docker and containers part of his design. Independently, he will continue to build and catalog Docker containers for useful malware analysis tools, so they can be utilized with or without the REMnux distro.

I am certain this is the best way possible for you readers to immerse yourself in both Docker technology and some of the best of the REMnux collection at the same time.

Jan 18, 2014 - Few moths back we written an article about how to Install CyanogenMod ROM on Android With Windows Installer App (No Rooting). At that time. Jan 16, 2014 - You can now install the popular Android OS variant CyanogenMod using a Mac and the official installer. It's almost too easy. CyanogenMod Installer for Mac, free and safe download. This free install opens up many options and can really pay off for advanced users. Dec 24, 2013 - Next install CyanogenMod Installer on Windows Vista, 7, or 8 (the Mac version is coming soon). The wizard will need administrator permission. Jan 15, 2014 - It essentially serves as the fastest and most streamlined way of installing CyanogenMod onto your device, with little to no effort expended. How to install cyanogenmod installer for mac.

A Sophos researcher stirred up the Mac masses this week when he reported that 20 percent of Mac computers carry Windows malware. The good news is that even though Macs are capable of harboring Windows-targeting viruses and Trojans, those machines can't be harmed by the malware in all but exceptional cases. The bad news, though, is that Mac users can still spread that malware to Windows machines in a number of ways. Sophos senior technology consultant Graham Cluley on a Sophos study that found that one in five Macs carries one or more instances of Windows malware and that one in 36 Macs are infected with Mac malware. Some critics of Cluley's article have taken issue with his view that 'although most of the malware we're currently seeing on Macs is designed to infect Windows, you should still be a responsible member of society and ensure that you're keeping your Mac squeaky clean.' Stay up to date with.

Get. Again, Windows malware won't hurt a Mac, but a Mac user can inadvertently pass along that malware to a colleague's or friend's Windows machine in a number of ways. Cluely provided InfoWorld with the following examples:.

Forwarding malware-infected emails to Windows-using friends and colleagues. Sharing files with Windows colleagues and friends (using USB sticks, Dropbox, or the like). If Web development is done on a Mac, infected files (be they executable or HTML/JS infections) can end up being transferred to a Web server and shared with the world What's more, Mac machines aren't entirely immune to Windows malware if they're, say, running Parallels. 'When you run Parallels, or any virtual machine software that runs a full copy of Windows, it's just like you're running Windows when you're in that VM, and all the same rules apply,' said via email.

Malware In Docker For Mac Free

Unless you run Windows on your Mac, the notion of loading resource-intensive antivirus software simply for the sake of protecting a peer or friend's Windows machine may not sit well. Bill Cole, a system admin, thoughtfully weighed in on the subject: One of the reasons Mac users have been reluctant to adopt AV software is that it is perceived as bloatware that does nothing of direct value for a Mac user. Is it worth the AV overhead for the average Mac user to know when he has surfed past a page that has IE-specific evil JavaScript in it or when the latest blatant phish in his Junk folder is recognized specifically as containing a Windows attack vector?

And change that analysis significantly, but not enough for a lot of Mac users. Maybe if the major AV vendors could claim to have prevented infections before Apple's sluggish fix for the Java hole they would be more convincing. As both Cole and Cluley noted, the emergence of Mac malware like Flashback points to the fact that Macs are becoming increasingly targeted by malware as the Mac platform continues to gain popularity. 'Clearly, the Windows malware on Macs isn't as big a problem as Mac malware actually running on Macs, but the fact that some of the Windows malware we found on Macs was five years old underlines that many Mac users simply aren't taking security seriously at all,' Cluely told InfoWorld.

In other words, it would behoove Mac users to start taking necessary precaution to better protect their machines, just as it would suit vendors (hey, how about Apple?) to develop the sort of security software that Mac users will want to use. Mac malware will only increase, and down the road, we might start seeing instances of malware capable of infecting both Macs and Windows. 'There are very, very few examples of malware that have payloads that work on both Mac and Windows. The ones that do exist aren't common in the wild,' said Grimes. 'As our Web standards become more standard (with Web services, HTML5, and so on), we can expect payloads to become cross-platform, because the bad guy can at least infect and exploit within the hosting browser environment. I expect a future headline within a year or two to announce the arrival of popular cross-platform malware.'

Malware In Docker For Mac Windows 10

This story, ',' was originally published at. Get the first word on what the important tech news really means with the. For the latest developments in business technology news, follow.