Shulou(Shulou.com)06/03 Report--

This article mainly explains "what is the method of automatic collection based on Docker". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Next, let the editor take you to learn "what is the method of automatic collection based on Docker"?

Overview

A real Linux malware intrusion environment often contains virus files, virus processes, malicious startup items, network communication traffic and other virus items. If we only get a single virus file, it is difficult to restore the whole attack environment of malicious software, which is not convenient for comprehensive research and analysis of the attack chain, as well as product security capability testing. Next, a method based on Docker is introduced, which can automatically collect and restore the entire attack scenario of malware, in order to simulate the host poisoning environment to the maximum extent, and facilitate the subsequent research and analysis of malware.

The principle of this method is that the virus items on the poisoned host are collected automatically by bash script, then packaged into a container environment, and finally simulated locally through Docker, when the generated Docker container contains a complete malware environment.

Detailed steps

As follows, taking the poisoning environment of StartMiner (8220 Mining Family) as a demonstration, we can see that the host contains malicious timing tasks, virus files, virus processes and other information through the command.

The specific code of the collection script is as follows, mainly collecting files from the following directories:

Common directories of / tmp/, / root/, / opt/ virus files

Scheduled task file

Ssh cache file

Syslog and audit security log

Process information

Network information

Then automate the production of the docker-compose.yml file, which is used to create the docker container with one click.

After a few seconds of running the malbox.sh script, you can package all the virus items and generate the file malbox.tar.gz.

Extract malbox.tar.gz locally, and the malbox directory contains the required file systems and configuration files for the Docker environment. The function of docker-compose.yml is to map key directories and simulate the execution of malicious commands. Before running, you need to customize the docker-compose.yml information, fill in the virus family name, and the command to be run at startup (you can refer to ps.txt and netstat.txt to fill in the virus process command to be simulated).

After modification, use the command docker-compose up-d to deploy the container and view the container list. If startmienr_2010 appears, the container is running successfully.

The basic image used by the malware container is malbox, which adds some commands and services commonly used by malware (wget, curl, ssh, crontab, etc.) based on the ubuntu image to achieve a better simulation effect.

Using the docker exec-it startminer_2010 / bin/bash command, you can enter the container, and the environment is almost the same as that of the poisoned host, and you can conduct troubleshooting and analysis in this environment.

Looking at the process, you can also clearly see the malicious download process, as well as the mining process with high CPU usage.

The syslog log and audit.log log in the container also help researchers trace the source of the entire malware attack chain.

Audit can use custom rules to monitor and classify suspicious behavior according to the ATT&CK matrix.

At this point, I believe you have a deeper understanding of "what is the method of automatic collection based on Docker". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.