Like a snake, Malware can hide anywhere. Photo by Sagar Paranjape on Unsplash
Deepfence YaraHunter scans container images, running Docker containers, and filesystems to find indicators of malware. It uses a YARA ruleset to identify resources that match known malware signatures, and may indicate that the container or filesystem has been compromised.
YaraHunter can be used to detect malware in cloud-native applications in the following ways:
YaraHunter is entirely open source (Apache v2 license) and may be used with a wide range of publicly available and private YARA rulesets. You can find it at https://github.com/deepfence/YaRadare — please check it out!
We’ve got a broad roadmap for the project, to cover a set of scenarios where Malware may be added to a cloud-native application or service:
YaraHunter will operate within 4 stages of the lifecycle of an application image:
To help us reach our roadmap, a number of issues on the backlog are tagged as “help needed”. We’d particularly appreciate contributions in these areas, as the capabilities they unlock will have the greatest impact for the community at large.
Let’s see YaraHunter in action. We’ll build the tool, and then scan a crypto-mining container using a set of YARA rules.
YaraHunter is a self-contained docker-based tool, hosted at https://github.com/deepfence/YaRadare. Clone this repository, then build:
docker build --rm=true --tag=deepfenceio/deepfence-yaradare:latest \
-f Dockerfile .
Alternatively, you can pull the ‘official’ deepfence image at deepfenceio/deepfence-yaradare:latest.
Images may be compromised by the installation of a range of different malware software tools. One common compromise involves the installation of a cryptominer such as XMRig, allowing the attacker to acquire compute cycles for the purposes of mining cryptocurrency.
In the following example, we’ll scan a legitimiate cryptominer image that contains the similar xmrig software to that which is often installed through an exploit:
docker pull metal3d/xmrigdocker run -it --rm --name=deepfence-yaradare \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /tmp:/home/deepfence/output \
--image-name metal3d/xmrig:latest \
This returns, among other things, clear indication of the presence of XMRig. Note that we store the output (/tmp/xmrig-scan.json) for quick and easy manipulation:
# Extract the IOC array values. From these, extract the values of the ‘Matched Rule Name’ key
cat /tmp/xmrig-scan.json | jq '.IOC | ."Matched Rule Name"'
This returns a list of possible IOCs identified in the container we scanned.
We’re committed to offering YaraHunter as an open-source project to the community at large. YaraHunter builds on the work of thousands of security researchers and community members who developed the YARA toolset and the rules that detect a wide range of malware. Our role in the security community is to take their work one step further, packaging it in a way that allows others to use it easily to address specific challenges. In this case, we’re seeking to help users secure their cloud-native applications against malware which may come as a result of supply chain compromise, malicious deployment or exploitation at runtime.
YaraHunter is, and always will be, 100% open source. Like all other Deepfence open source projects, there are no hidden limitations; no restrictions on the number of scans or size of infrastructure. We do not require registration, do not collect privacy-compromising information. Users who use our solutions are not our ‘product’.
Together, the security community has an ethical imperative to work together to build a safer digital experience for all; one that is fully accessible and can be delivered by every enterprise and application developer. Deepfence is proud to be a part of this movement.
We’d welcome any feedback, contributions and suggestions. Please start with the YaraHunter GitHub repository, and feel welcome to join the Deepfence Community Slack.