A new way to hide malware in Docker's virtual machine
uhh
• mangopdfWhoa hello guess what I found a ✨new✨ technique that lets you turn almost invisible after you hack someone’s computer, so they don’t notice you messing with their stuff. It only works on macOS, and only if they already have Docker Desktop installed. But it’s goOd I swear.
I am now going to just go off in incredible detail about the story of flubbing my way to finding this thing, if that’s okay with you.
If you’re like an actual adult or a lawyer or something and you want the no-nonsense, bland and textureless version of this story, you can read the official and canonical blog post.
Okay now that all the cops are gone let’s do 𝓬𝔂𝓫𝓮𝓻𝓬𝓻𝓲𝓶𝓮.
Part 1: “Don’t get caught for a year”
One day, when I was doing my actual hecking job like a loser, my teammate asked me what I thought it would take to stay hidden on someone’s computer for a whole year after first hacking it. This is actually a completely normal and very cool thing to talk about in my line of work.
Not that it was like a “"challenge”"" or anything, just a fun hypothetical chat between professional business colleagues.
But like haha if it were a challenge I guess the rules would be something like:
You get one shot to run any code you want on someone’s (macOS) computer. You have to install malware, and it has to still be there a year later.
By malware I mean “remote control software”: You can control their computer from your computer. Hackers want that because they can download secret files, turn things on and off, and generally do anything you can do with your computer.
Damn a whole year huh
I was thinking yikes, a year is…. a long time to be just vibing on someone else’s computer without getting noticed. So many things can go wrong:
- What if they notice your cool fun
big_crime.shrunning on their computer? - What if you accidentally crash their computer or break something, tipping them off?
COOL JOKE- What if the computer reboots?
- What if it has a system update?
Damn the monitoring software on company Macbooks is kinda scary
Yeah so we’re not so much talking about hacking “my Dad’s Macbook Air (2015)”, as much as like, “a professional software engineer’s corporate-issued computer (2022)”. They’ve got all kinds of monitoring software running on these Macbooks, and it’s checking for all the common tricks. Or is it? You don’t even know what they’re checking for. If you trip one of their alerts, someone gets notified, and you might get caught.
DAmn we’re gonna need something jank
I realised we probably weren’t going to get away with being #basic. To dodge all that monitoring, we’re gonna need a completely new trick nobody’s ever heard of, because it’s hard to find something if you don’t know what it looks like.
Hmmm, where should I look for a new technique?
The world of hiding malware on macOS turned out to be not so much a “world” as precisely one (1) technique: Just blatantly adding it to the list of programs macOS runs on startup1.
This was absolutely not going to fit my internet cybercrime needs.
However.
People don’t actually run plain, fresh macOS, straight out of the Apple store
They take this beautiul, pristine, incredibly security engineered Macbook out of the box, and then immediately install “Developer Tools” to it, thirstily clicking “Allow” on some buttons of which I mustn’t speak.
Why, they often install things like Homebrew, Docker, iTerm2 etc..
These apps have much less security review than macOS itself, and are tools for cool power user chad software developers, so they are less about security and more about *lips on mic* powerful features.
I mean look at this.
Do you know who makes iTerm2?
I didn’t know, and I was like “I bet it’s just one person”, so I looked it up and here he is!
It’s this guy. It’s this ONE guy
Do you want to see the code? It’s all here on Github.
The last commit was TWELVE hours ago, it’s FRESH
Listen all I’m saying is that whatever *checks notes * George Nachman puts in iTerm2? It’s running on the laptops of like, everyone who writes code at tech companies.
Welcome to macOS! Copy paste this into your terminal and do not ask any questions😌
Surely I can use these legitimate programs for Crime
Yes that is CORRECT let’s go.
Surely, I thought, one of these brave brave apps would be able to help me.
I did not so much aim to “find bugs” in one of these programs so much as “find features”😉😉😉😉
If I were a hacker, just hypothetically, I’d love to use a legit feature of the app to hide, since it would blend in nicely, and be less likely than a bug to be removed in a future update.
So, which of these developer tools sound like they’d be good places to hide malware? Well, which of them execute code?
Actually, all of them execute code, and all of them sound like pretty good places to hide to me. But, I tried Docker first, because I knew it had the most powerful features, could access the whole computer, and seemed just a little too difficult to use in a safe enough way.
The bottom line
Anyway, this has been a rambly way of dancing around the fact that I ultimately stumbled on this techique by googling “docker docs” and Cmd+F’ing the page for “exec”.2
Part 2: Stumbling upon my new best friend, runc
“sorry i don’t know any of this nerd stuff, what’s “““docker””?
Docker is a way to make using computers harder for yourself. If you dislike computers, you’ll hate more computers.
Computers inside computers were a mistake
Basically Docker lets you run programs in their own computer inside your computer, like a parallel universe but much less cool. They call these parallel universes “containers”. I know.
But, because these container computers are also just programs running inside your computer, sometimes they can escape their lil container world and do stuff on your real computer. I’m sure you see where this is going.
I wanted to know if Docker could be told to execute code regularly, because…. what if it executed my naughty malware code regularly?
My new best friend
When I was searching the Docker documentation for ways to execute code, I had no idea what I was looking at.
I mean would you LOOK at this mess
There were “runtime execution options”. I like execution? But what exactly was this page telling me could be executed? By who? Where? I didn’t know. But, I did see that Docker was asking for the location of a file, which it would then execute for me whenever whenever a Docker container was run (that’s a lot).
Uncanny. That looks almost exactly like I can put a path to a file in this config file, and Docker will run the file, instead of runc, whatever that is.
In which the perfect content simply falls into my lap
That was too easy. When you’re running code on someone else’s computer, getting something Legit and Official to run your code for you is way better than just running it yourself. It blends in, and who would suspect code being run by our trusted friend and ally, Docker?
Needless to say, I was popping off at this point, and rushed to try giving docker my own file to run with great gusto.
Running a different program in place of runc
“Surely I can just point Docker at my malware file and call it a day” - me, about to have a great time on my computer
At first, I did just that, and instantly broke my Docker to the point where it was unusable.
After bashfully resetting Docker to factory defaults, it turned out this runc thing I was replacing actually did something, and the malware I was replacing it with did not so much “do that thing” as “be malware”.
I wanted, desperately, to modify runc so it did whatever it’s supposed to do and also runs my malware.
A fun fact about runc is that it is open source software, and on Github.
So I extremely downloaded and modified runc to do all its normal stuff and also download and execute my malware. Then I recompiled it, and got a fresh yummy new runc-but-worse binary to run.
Testing it out
“Surely it can’t be that easy”, I thought. I very hesitantly slotted in my new runc binary with malware sticky taped on.
Who wore it better?
Before
After
the frickin’ PRO to skip updates!?
the uwu whale
The downsides
But, of course, this has downsides: You don’t know whether the hypothetical Macbook you’re trying to hack will even have Docker on it when you get to it, so you can’t guarantee that your method will work in advance.
We make this tradeoff with operating systems all the time (e.g. preparing malware that only runs on Windows, or only on Linux), so I decided to be a bit of a psycho and try to trade off even more flexibility for even more stealth. It only works when they have Docker, but when they do, boy does it work.
it’s not the developer tools’ fault, it’s macOS’s fault for being SO secure you can’t get anything done without breaking ALL the security, all or nothing
Here’s how to make a LaunchAgent if u wanna be BASIC ↩︎
Because I wanted to execute code, duh ↩︎