Using Tracee to profile and detect common malware behavior
This demo was created to accompany the Kubecon session I was co-presenting: How This Innocent Image Had a Party in My Cluster. It is a demonstration of some malware techniques and how Tracee can be used to observe this behavior and detect it.
Notice: This demo is not necessarily in sync with the latest current version of Tracee
The techniques demonstrated are:
- Contacting a bare IP with bad reputation
- Drop and execute at runtime
- File-less execution using memfd
- File-less Drop
- Unpacking an executable at runtime
TOC:
- /helloworld - a simple hello world program used as a dummy executable
- /spy - a simple executable that calls out to a bad reputation IP address
- [/rottendate](rottendate]- a simple web service delivered as a Docker image that returns the current date and time, but it also hides the "spy" program using all of the discussed evasion techniques
- /demo - scripts to excercise the discussed potentially malicious patterns, and to trace their behavior using Tracee.
Demos:
- Execute the
run.sh
script to run through the scenario unattended. The scripts expect certain arguments which are documented in each script. - The scripts are meant to run as a regular user but they will
sudo
to run some commands. - Each demo is self contained, sets up it's requirements and cleans it up after itself.
- The results are obtained under the
/demo/*/out
directory.