Introducing YaraHunter

Like a snake, Malware can hide anywhere. Photo by Sagar Paranjape on Unsplash

Introducing YaraHunter — finding malware in cloud-native applications

Deepfence YaraHunter scans container images, running Docker containers, and filesystems to find indicators of malware. It uses a YARA ruleset to identify resources that match known malware signatures, and may indicate that the container or filesystem has been compromised.

YaraHunter can be used to detect malware in cloud-native applications in the following ways:

• At rest: scan local container images, before they are deployed, to verify they do not contain malware
• At runtime: scan running docker containers, if, for example, you observe unusual network traffic or CPU activity
• Against filesystems: at any time, YaraHunter can scan a local directory or filesystem for indicators of compromise

YaraHunter is entirely open source (Apache v2 license) and may be used with a wide range of publicly available and private YARA rulesets. You can find it at https://github.com/deepfence/YaRadare — please check it out!

YaraHunter futures

We’ve got a broad roadmap for the project, to cover a set of scenarios where Malware may be added to a cloud-native application or service:

• Supply-Chain Poisoning: a malicious actor injects malware into upstream images. A developer unwittingly includes these images in application builds, and the resulting build artifacts are deployed to production or shipped to other users.
• Malicious Deployment: a user compromises the deployment process of an application, for example, by creating a malicious admission controller or init script that injects malware into an application image when it is deployed.
• Run-Time Compromise: an attacker exploits a vulnerability or weak configuration in a running application, such as log4j, to install malware tools.

YaraHunter will operate within 4 stages of the lifecycle of an application image:

Lifecycle Stage: Build and Test

• Capability: CI/CD integration. Test images during build to identify any malware-like components within
• Purpose: To detect and block Supply Chain Poisoning
• Status: Backlog

Lifecycle Stage: Containers at Rest

• Capability: Scan container images ‘at rest’, supporting various public and private registries
• Purpose: Detect evidence of Supply Chain Poisoning
• Status: Supported for local containers (pulled from remote registry); Backlog: direct scanning of containers in remote registries

Lifecycle Stage: At Deployment

• Capability: Kubernetes Admission Controller (or equivalent). Inspect workloads at the moment of deployment and block images that do not meet standards
• Purpose: Final backstop for Supply Chain Poisoning checks; identify some instances of malicious deployment
• Status: Backlog

Lifecycle Stage: At Runtime

• Capability: Inspect running containers for the presence of malware-like components
• Purpose: Detect run-time compromise
• Status: Support for Docker (filesystem images); Backlog: support for Kubernetes; Backlog: in-memory scanning

To help us reach our roadmap, a number of issues on the backlog are tagged as “help needed”. We’d particularly appreciate contributions in these areas, as the capabilities they unlock will have the greatest impact for the community at large.

YaraHunter in Action

Let’s see YaraHunter in action. We’ll build the tool, and then scan a crypto-mining container using a set of YARA rules.

Build YaraHunter

YaraHunter is a self-contained docker-based tool, hosted at https://github.com/deepfence/YaRadare. Clone this repository, then build:

docker build --rm=true --tag=deepfenceio/deepfence-yaradare:latest \
-f Dockerfile .

Alternatively, you can pull the ‘official’ deepfence image at deepfenceio/deepfence-yaradare:latest.

Find Indicators of Compromise in a container image

Images may be compromised by the installation of a range of different malware software tools. One common compromise involves the installation of a cryptominer such as XMRig, allowing the attacker to acquire compute cycles for the purposes of mining cryptocurrency.

In the following example, we’ll scan a legitimiate cryptominer image that contains the similar xmrig software to that which is often installed through an exploit:

docker pull metal3d/xmrigdocker run -it --rm --name=deepfence-yaradare \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /tmp:/home/deepfence/output \
deepfenceio/deepfence-yaradare:latest \
--image-name metal3d/xmrig:latest \
--json-filename=xmrig-scan.json

This returns, among other things, clear indication of the presence of XMRig. Note that we store the output (/tmp/xmrig-scan.json) for quick and easy manipulation:

# Extract the IOC array values. From these, extract the values of the ‘Matched Rule Name’ key

cat /tmp/xmrig-scan.json | jq '.IOC[] | ."Matched Rule Name"'
"XMRIG_Miner"
"XMRIG_Miner"
"Cerberus"
"XMRIG_Miner"
"XMRIG_Miner"
"XMRIG_Miner"
"Cerberus"
"XMRIG_Miner"

This returns a list of possible IOCs identified in the container we scanned.

How will Deepfence use YaraHunter?

We’re committed to offering YaraHunter as an open-source project to the community at large. YaraHunter builds on the work of thousands of security researchers and community members who developed the YARA toolset and the rules that detect a wide range of malware. Our role in the security community is to take their work one step further, packaging it in a way that allows others to use it easily to address specific challenges. In this case, we’re seeking to help users secure their cloud-native applications against malware which may come as a result of supply chain compromise, malicious deployment or exploitation at runtime.

YaraHunter is, and always will be, 100% open source. Like all other Deepfence open source projects, there are no hidden limitations; no restrictions on the number of scans or size of infrastructure. We do not require registration, do not collect privacy-compromising information. Users who use our solutions are not our ‘product’.

Together, the security community has an ethical imperative to work together to build a safer digital experience for all; one that is fully accessible and can be delivered by every enterprise and application developer. Deepfence is proud to be a part of this movement.

We’d welcome any feedback, contributions and suggestions. Please start with the YaraHunter GitHub repository, and feel welcome to join the Deepfence Community Slack.