17 Backdoored Images Downloaded 5 Million Times Removed From Docker Hub (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

17 Backdoored Images Downloaded 5 Million Times Removed From Docker Hub (bleepingcomputer.com)

Posted by BeauHD on Friday June 15, 2018 @09:20AM from the not-properly-contained dept.

An anonymous reader writes: "The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users' servers for the past year," reports Bleeping Computer. "The malicious Docker container images have been uploaded on Docker Hub, the official repository of ready-made Docker images that sysadmins can pull and use on their servers, work, or personal computers." The images, downloaded over 5 million times, helped crooks mine Monero worth over $90,000 at today's exchange rate. Docker Hub is now just the latest package repository to feature backdoored libraries, after npm and PyPl. Docker Hub is now facing criticism for taking months to intervene after user reports, and then going on stage at a developer conference and claiming they care about security.

36 comments

Min score:

Reason:

Sort:

justification by encrypted · 2018-06-15 09:38 · Score: 5, Insightful

I have always been too picky to trust peoples images, if theres something I want to use I will build it myself and store it on my private docker repo. Building your business on something anyone can just upload or change seems dangerous. I started to wonder if extra work really made sense, apparently yes.
1. Re: justification by Anonymous Coward · 2018-06-15 10:38 · Score: 0
  
  Best practice for sure!
2. Re:justification by Anonymous Coward · 2018-06-15 11:25 · Score: 0
  
  Unless you can read every script and know for sure with a checksum of every binary, this isn't your docker image. It's the author's. I'm surprised it's *ONLY* "installed cryptocurrency miners" and not "compromised national security" or something.
3. Re:justification by Bigbutt · 2018-06-15 12:41 · Score: 2
  
  Yep. Devs and Systems Eng wanted the kubernetes clusters to have internet access in order to download containers. I refused and built containers and pushed them to our internal repo.
  [John]
  
  --
  Shit better not happen!
4. Re:justification by thegarbz · 2018-06-15 21:07 · Score: 1
  
  I have always been too picky to trust peoples images, if theres something I want to use I will build it myself and store it on my private docker repo.
  
  There's a capability question with all of those approaches. I only started playing with docker for the first time 2 months ago, and boy was it complicated. There's a lot to take in when working with it. Personally I had enough problems figuring out how persistent storage worked and the idea of passing settings to the docker container. I would happily say building your own docker image is beyond a large portion of even linux users.
5. Re:justification by Anonymous Coward · 2018-06-16 12:11 · Score: 0
  
  It's really not a choice of one or the other. If you see a container on docker hub that looks interesting/useful just git clone the project files, inspect them, then build it yourself.
  Dockerfiles are so simple that obfuscation is impossible. Security expertise is unnecessary so even a web developer can do it :P
  Just check if there are any binaries that really don't make sense (why do they have a binary in the project files when they could use the package manger's version?) or that can't be verified with MD5SUM from upstream.
Damn it by Tsolias · 2018-06-15 09:47 · Score: 2

I read that there are images, some backdoors, downloaded gorillion times... and I was ready with the lube next to me... ...but apparently, images can mean .iso files.
Damn it.
1. Re:Damn it by Impy+the+Impiuos+Imp · 2018-06-15 10:53 · Score: 1
  
  Oh whew. I thought it was back to the bad old days where poisoned pictures crashed decompressors in just the right way to take control.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Unbelievable by Ozan · 2018-06-15 10:05 · Score: 3, Informative

Using Docker in production my heart skipped a beat when I read the headline. But then...

All 17 images were uploaded on the Docker Hub portal by the same person/group, using the pseudonym of "docker123321."

WHO THE FUCK pulls an image called docker123321/tomcat22 ?
1. Re:Unbelievable by skovnymfe · 2018-06-15 10:23 · Score: 1
  
  5 million retards.
2. Re:Unbelievable by Anonymous Coward · 2018-06-15 10:33 · Score: 0
  
  DevOps.
3. Re:Unbelievable by nickjj · 2018-06-15 23:28 · Score: 1
  
  Or 5 million CI servers.
4. Re:Unbelievable by null+etc. · 2018-06-16 02:33 · Score: 1
  
  Yes, especially CI servers that are using a regex to find the most recent version of software using numerical comparison.
So you are saying ... by whoever57 · 2018-06-15 10:21 · Score: 2

Nonetheless, Kromtech researchers warn that some of these images also contained backdoor-like capabilities thanks to the embedded reverse shells.
This means that even if victims stopped using or removed the malicious Docker images, the attacker could have very easily obtained persistence on their systems through other means, possibly granting them access to the system at a later time.
So you are saying that when the image is run under Docker, it can write to the host filesystem, open ports, etc.. Isn't it sandboxed?
I am not sure how one can claim to care about security without a secure sandbox.

--
The real "Libtards" are the Libertarians!
1. Re:So you are saying ... by Anonymous Coward · 2018-06-15 11:04 · Score: 0
  
  Containers are not secure sandboxes. They have never been. They are about resource control, and devops shit (library deployment, etc. without conflicting with the host).
  Hell, VMs are about "semi-secure" sandboxes at most, unless you're doing them on s/390x or something like that goes a _LOT_ further than x86 ever will when it comes to virtualization (hint: x86's virtualization is a hack and rather incomplete).
2. Re:So you are saying ... by Anonymous Coward · 2018-06-15 11:12 · Score: 0
  
  see your supposed to use docker to run hypervisors to run docker instances per app... docker your docker.. now if only i was joking. :( thanks enteripise docker/hyperneties
3. Re:So you are saying ... by angel'o'sphere · 2018-06-15 12:57 · Score: 1
  
  A sandbox does not prevent one to mine a crypto currency ...
  
  --
  Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
4. Re:So you are saying ... by whoever57 · 2018-06-15 13:43 · Score: 1
  
  Read my post again. Note carefully the part of the article that I quoted.
  
  --
  The real "Libtards" are the Libertarians!
5. Re:So you are saying ... by sjames · 2018-06-15 14:34 · Score: 3, Informative
  
  That depends on the container, but yes. The spec of a container can include direct access to host resources, including directories, or not. Adding to the fun, if you grant a user sufficient access to docker to run their own images, you have effectively granted them root.
6. Re:So you are saying ... by thegarbz · 2018-06-15 21:13 · Score: 1
  
  I am not sure how one can claim to care about security without a secure sandbox.
  How are you posting this right now? Your browser is sandboxed but it has port 443 open? The idea behind any sandbox is to only open access to what you need for the core functionality and isolate everything else.
  Now you've just convinced someone to download an image called docker123321, do you think it would be difficult to convince them to run the image using a command that allows access to parts of the file system / open ports?
  Docker is well sandboxed, but gives the user enough rope with which to hang themselves.
  The -v flag is very flexible. It can bindmount or name a volume with just a slight adjustment in syntax. If the first argument begins with a / or ~/ you're creating a bindmount. Remove that, and you're naming the volume.
  -v /path:/path/in/container mounts the host directory, /path at the /path/in/container
7. Re:So you are saying ... by Anonymous Coward · 2018-06-15 21:49 · Score: 0
  
  It doesn't have port 443 open. It sends packets from [random ephemeral port] to wherever, dst ports 443/80. If you tried to connect to my machine, or from that machine to localhost, via that same ephemeral port, you'd get a RST back. That ephemeral port is not "open".
  It's a huge difference, you know.
8. Re:So you are saying ... by fisted · 2018-06-16 01:57 · Score: 1
  
  Well if nothing else, at least as of Meltdown the guest could dump the hosts memory, which should make it hell of a lot less difficult to gain access to the host (not necessarily from within the container)
  
  --
  CLI paste? paste.pr0.tips!
9. Re:So you are saying ... by Anonymous Coward · 2018-06-18 21:47 · Score: 0
  
  It's effectively sandboxed, but giving that sandbox extra permissions is part of normal operation and is very often done without considering the security implications.
  As a trivial example: many containers default to running as the "root" user, and mount directories on the host for persistence. One could therefor create an SUID Root file on the host, just as easily as one could within the container, and use that for further escalation.
Re: Why not legit? by Anonymous Coward · 2018-06-15 10:47 · Score: 0

They didn't. Nobody wanted to use your malware.
So you are saying ...mainframes by Anonymous Coward · 2018-06-15 13:45 · Score: 0

You're suppose to run the entire docker system in a VM. As for mainframes, yes containers run on them as well.
https://containerjournal.com/2017/07/24/ibm-makes-case-mainframes-container-platforms/
It's not a contradiction by Anonymous Coward · 2018-06-15 16:31 · Score: 0

Docker folks can care about security and , you know, not have infinite resources to look into every claim of a bad image ... It's like YouTube cares about copyright but maybe doesn't take a video down the moment you ask them to. And for security it's harder because they would need to check that the images actually are bad... and the reputation of the person submitting the report. Or else they are facilitating a denial of service attack against some innocent account.
It would be different if the malware was in the ubuntu:latest or some other official image. But it was in some personal account ... The people who downloaded those images are idiots. I don't blame Docker at all for not handling it the minute it was reported.
well that's okay! by Anonymous Coward · 2018-06-15 20:36 · Score: 0

As long as I don't have to sit there and install gcc and all that other crap just to get a web server running, docker is fine with me! I trust the internet!
Re: Iâ(TM)ll backdoor you by Anonymous Coward · 2018-06-15 21:48 · Score: 0

Democrat funded forum disruption trolls sure do hate homosexuals.
Re: Why not legit? by fisted · 2018-06-16 01:48 · Score: 2

Indeed, even Hitler agrees with that

--
CLI paste? paste.pr0.tips!
justification:Docker store. by Anonymous Coward · 2018-06-16 02:01 · Score: 0

Since a lot of NAS have virtualization services, I'd say a Docker curated store would be in everyone's best interest.
APK Hosts File Engine does though... apk by Anonymous Coward · 2018-06-16 06:01 · Score: 0

See subject & via APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download).
For more security/speed/reliability/anonymity vs. any SINGLE solution (99% of threats = hostnames vs. IP address (that most firewalls use)) more efficiently/FASTER + NATIVELY 4 less!
(Vs. "Bolt on 'MoAr' illogic-logic" competitors slowing you, hosts speed you up 2 ways (adblocks + hardcodes u spend most time @) vs. competition loaded w/ bugs (DNS/AntiVir) + their overheads (messagepass ('souled-out' to advertiser addons) + filtering drivers) & their complexity leads to exploit).
* See subject & "Windows hosts trick to block the Coinhive or Crypto-Loot domains" - https://www.bleepingcomputer.com/news/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/ - BLEEPING COMPUTER
APK
P.S.=> It's better vs. the Windows model... apk
Registered /.ers opinions of the Win64 model by Anonymous Coward · 2018-06-16 06:02 · Score: 0

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

(APK's work), I've flat out said it's good by BronsCon February 11 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

I do use APK's host file on all my systems at home by OrangeTide December 01 2017

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017
* See subject: Best part is this Linux 64-bit model is faster & more efficient (does 2x the work in 1/2 the time, literally)
APK
P.S.=> Enjoy a faster/safer/more reliable internet... apk