Dagda not detecting malware binaries about dagda HOT 11 CLOSED

Hi @BiJason ,

Dagda uses TiredofitClamav docker image which contains Clamav AV. If you use Clamav without any docker image for scanning the TheZoo project, do you get any malware detection?

If you get any malware, perhaps it would be interesting review the docker image with Clamav. Else, the problem could be in the Clamav itself.

Regards.

from dagda.

Hey @eliasgranderubio , thanks for the response!

I ran a ClamAV with the following steps on an infected docker image.

Steps to create infected docker image:

1. Use a secure virtual machine with strict access rules, in my case I used an Amazon AWS EC2 instance.
2. Create a Dockerfile with the line: git clone https://github.com/ytisf/theZoo (be careful, this repo contains malware). Here's the Dockerfile that I used:

FROM python:2.7-alpine
RUN apk add --no-cache sqlite-libs=3.28.0-r0
RUN apk update
RUN apk add git
RUN apk add py-pip
RUN addgroup -S sasquatch
RUN adduser -S sasquatch -G sasquatch
RUN git clone https://github.com/ytisf/theZoo
WORKDIR /theZoo
RUN apk add bash
RUN apk add python-dev
RUN pip install wheel
RUN apk add gcc musl-dev
RUN apk add linux-headers
RUN pip install --user pyminizip
RUN yes | apk add sudo
EXPOSE 5000
USER sasquatch

3. Built the Dockerfile into a container.
4. Ran the container.
5. Ran docker exec -u 0 -it "CONTAINER_NAME" /bin/sh
6. Within the container, ran python theZoo.py
7. Followed steps within the program, and called the corresponding commands to install malware onto the image. (use #malwareID followed by get #malwareID)
8. Ran docker commit on the container to build final infected image.

Steps to run ClamAV scan:

1. "sudo apt-get install clamav" on the vm with infected image.
2. "clamscan -r /var/lib/docker

output:

Known viruses: 6218676
Engine version: 0.100.3
Scanned directories: 15041
Scanned files: 110008
Infected files: 323
Data scanned: 3004.39 MB
Data read: 10153.11 MB (ratio 0.30:1)
Time: 1302.386 sec (21 m 42 s)

from dagda.

If you run the same analysis with the next method used by Dagda, do you get the same report?

• https://github.com/eliasgranderubio/dagda/blob/master/dagda/analysis/static/av/malware_extractor.py#L22

In your case, the parameters would be:

• temp_dir = /var/lib/docker
• docker_driver is the docker_driver.py included in this project

from dagda.

What steps are required to run that method?

from dagda.

If you use the docker_driver.py script as docker driver for that method, run it should be easy (the imports have been omitted):

d = DockerDriver()
output = get_malware_included_in_docker_image(d, “/var/lib/docker”)
print(output)

from dagda.

Yes, it's still returning an empty list with the python script.

from dagda.

The last chance. If you run the docker run whithout my Python script with the same parameters as this script, do you get the empty list?

from dagda.

Any update about the last proposed test @BiJason ?

from dagda.

Yes, still no findings.

from dagda.

Then, could you build a docker image with ClamAV which it be capable of malware detection for your described use case?

A PR would be appreciated :-)

from dagda.

Closed due to inactivity.

from dagda.