Dagda not detecting malware binaries

[BiJason]

I was trying to test the malware detection of dagda from the CLI, and it doesn't seem to pick up anything.

Steps I took:

1. Started dagda server

2. Performed proper assignment of environment variables and initiation of vulnerability database.

3. Built an image from a dockerfile with the line:

   'RUN git clone https://www.github.com/ytisf/theZoo' The github repo is literally just full of malware binaries

4. Ran the dagda check for on the docker image

Results

The dagda history shows no malware binaries being scanned. Not a single one. Vulnerability scanning for CVE's seems to work fine though.

Specs

• OS: Ubuntu 18.04
• Python version: Python 3.4]
• Docker version: 18.09.7
• MongoDB version: mongo:latest

[eliasgranderubio]

Hi @BiJason ,

Dagda uses TiredofitClamav docker image which contains Clamav AV. If you use Clamav without any docker image for scanning the TheZoo project, do you get any malware detection?

If you get any malware, perhaps it would be interesting review the docker image with Clamav. Else, the problem could be in the Clamav itself.

Regards.

[BiJason]

Hey @eliasgranderubio , thanks for the response!

I ran a ClamAV with the following steps on an infected docker image.

Steps to create infected docker image:

1. Use a secure virtual machine with strict access rules, in my case I used an Amazon AWS EC2 instance.
2. Create a Dockerfile with the line: git clone https://github.com/ytisf/theZoo (be careful, this repo contains malware). Here's the Dockerfile that I used:

FROM python:2.7-alpine RUN apk add --no-cache sqlite-libs=3.28.0-r0 RUN apk update RUN apk add git RUN apk add py-pip RUN addgroup -S sasquatch RUN adduser -S sasquatch -G sasquatch RUN git clone https://github.com/ytisf/theZoo WORKDIR /theZoo RUN apk add bash RUN apk add python-dev RUN pip install wheel RUN apk add gcc musl-dev RUN apk add linux-headers RUN pip install --user pyminizip RUN yes | apk add sudo EXPOSE 5000 USER sasquatch

3. Built the Dockerfile into a container.
4. Ran the container.
5. Ran docker exec -u 0 -it "CONTAINER_NAME" /bin/sh
6. Within the container, ran python theZoo.py
7. Followed steps within the program, and called the corresponding commands to install malware onto the image. (use #malwareID followed by get #malwareID)
8. Ran docker commit on the container to build final infected image.

Steps to run ClamAV scan:

1. "sudo apt-get install clamav" on the vm with infected image.
2. "clamscan -r /var/lib/docker

output:

Known viruses: 6218676 Engine version: 0.100.3 Scanned directories: 15041 Scanned files: 110008 Infected files: 323 Data scanned: 3004.39 MB Data read: 10153.11 MB (ratio 0.30:1) Time: 1302.386 sec (21 m 42 s)

[eliasgranderubio]

If you run the same analysis with the next method used by Dagda, do you get the same report?

• https://github.com/eliasgranderubio/dagda/blob/master/dagda/analysis/static/av/malware_extractor.py#L22

In your case, the parameters would be:

• temp_dir = /var/lib/docker
• docker_driver is the docker_driver.py included in this project

[BiJason]

What steps are required to run that method?

[eliasgranderubio]

If you use the docker_driver.py script as docker driver for that method, run it should be easy (the imports have been omitted):

d = DockerDriver()
output = get_malware_included_in_docker_image(d, “/var/lib/docker”)
print(output)

[BiJason]

Yes, it's still returning an empty list with the python script.

[eliasgranderubio]

The last chance. If you run the docker run whithout my Python script with the same parameters as this script, do you get the empty list?

[eliasgranderubio]

Any update about the last proposed test @BiJason ?

[BiJason]

Yes, still no findings.

[eliasgranderubio]

Then, could you build a docker image with ClamAV which it be capable of malware detection for your described use case?

A PR would be appreciated :-)

[eliasgranderubio]

Closed due to inactivity.