Docker Removes Malicious Containers from its Hub

July 3, 2018 - 7 minutes read

If you’re a web, operating system, or mobile developer, you’re probably familiar with Docker already. If you’re a tech enthusiast, there’s a chance you’ve heard of this wildly popular platform used to deploy software to a sandbox for testing in a real-world environment.

If you’re one of the many people who has never heard of Docker, don’t despair. It’s not a popular tool among non-developers, so most people wouldn’t know the first thing about it. We’ll give some background into Docker before detailing exactly what cybersecurity events occurred.

What is Docker?

The basis for Docker is in the little “containers” it creates. These containers (known otherwise as sandbox environments) make it really easy to pull down a codebase from the web and begin work on it right away. The software runs the container in a Linux kernel, making it easy for developers to install Docker and “just go”, especially if they’re running Ubuntu or Mac OSX.

You might be thinking that this sounds incredibly similar to another wildly-popular type of software that is also used to test and deploy software: virtual machines. Unfortunately, virtual machines take up a lot of memory on your computer, and most developers aren’t working on a project that needs that robust of a setup. Docker uses a low-memory, lightweight approach that runs within your computer’s kernel, letting developers create multiple containers in one sitting. This wouldn’t be possible with virtual machines.

Don’t get us wrong — Docker didn’t invent containers. Not by a long shot. But it greatly revived and popularized the Containerization movement by creating a very easy-to-use container software that takes no time to setup and deploy software from.

Thus, Docker has become the go-to workflow tool for many, if not most, developers. Additionally, Docker launched the innovative idea of creating a community around container libraries, and it was met with a big thumbs up from developers around the world.

Docker’s the Best! … Or Is It?

Not surprisingly, Docker’s popularity exploded from 2013 to now, and today, Docker’s developer is worth over a billion dollars. Google itself runs two billion Docker containers per week (and that was just in 2014). Naturally, this means Docker has a heightened risk of getting hacked or used for malicious intent.

Before we dig into what happened, here is some background about containers and their relation to images.

When you run a Docker image, you launch containers; in other words, containers are run-time instances of images and are created when compiling an image. The image contains several important files: the code, libraries, a runtime, environment variables, and configuration files. It’s easy to see that images save developers tons of time; simply pull an image that has everything set up and ready to go, and you’ve slashed several hours of setup.

About two months ago, the Docker team removed 17 images that were backdoored in. These containers, if installed on your local machine, would immediately open a backdoor to your machine without your knowledge. The malware-infected containers installed reverse shells and cryptocurrency miners on unsuspecting servers over the course of 12 months.

How Could This Happen?

The images were uploaded on Docker Hub, which is the San Francisco-headquartered company’s official repository of ready-made Docker images.

Unfortunately, new images don’t get vetted in any way, so the malicious images were listed immediately for download in May 2017. Docker received several flags from other Docker users against user docker123321 (the account that uploaded all 17 of the malware images), but these images were listed in the official Docker repository until they were taken down in May 2018 after two users, Fortinet and Kromtech, complained.

Both users conducted in-depth research and analysis into what effects the malicious images were producing, and both found very disturbing evidence of backdoor cryptocurrency mining. What’s scary is that some of the malicious images were pulled over 1 million times, while others had been pulled hundreds of thousands of times.

The Kromtech research team found that, in just one instance, one of the downloaded images mined almost 545 Monero coins, which today is worth over $70,000. The company released a full report with a breakdown of exactly what each container is capable of causing in your computer.

What Now?

Well, there is no guarantee that every affected computer has been scrubbed clean of this malware. In fact, many servers that are affected can still be compromised. The malicious software can be activated at any time once it’s on the computer, and pulling any of the images would’ve taken just a few seconds.

“For ordinary users, just pulling a Docker image from the DockerHub is like pulling arbitrary binary data from somewhere, executing it, and hoping for the best without really knowing what’s in it,” Kromtech researchers say.

To fully repair your system, you must wipe the whole machine clean. In the future, do not trust Docker’s official repository to have safe images; create your own images to use and reuse, even though it will take some effort and troubleshooting the first time. It’s worth the peace of mind, and you’ll gain another skill to list on your resume!

We don’t know for certain if Docker will start scanning its current repository of images or even if it will scan new images uploaded. There could be more malicious software in the Docker Hub, and Docker wouldn’t know it without users lodging more complaints. This is a great chance for a competitor to set things right by implementing secure protocols from the ground-up, literally. What are your thoughts on Docker’s complete oversight of repository security?

Tags: , , , , , , , , , , , , , , ,