Skip to content

Container image with malware and crypto miner for testing purposes

License

Notifications You must be signed in to change notification settings

ruzickap/malware-cryptominer-container

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

Container image with malware and crypto miner for testing purposes

Container build Artifact Hub

Ransomware Malware Threat Actor

I decided to build minimal nginx based container image which contains malware / ransomware / crypto miner / ...

Security tools should be able to scan the image and discover harmful files.

Running/starting the container image do not "activate" / "execute" the malware.

The malware files inside container image were downloaded from:

The malware/crypto miner are located in the /usr/share/nginx/html directory:

/usr/share/nginx/html
β”œβ”€β”€ ILOVEYOU.vbs                      [C source, ASCII text]
β”œβ”€β”€ Invoke-ConPtyShell.ps1            [ASCII text, with very long lines (361)]
β”œβ”€β”€ L0Lz.bat                          [DOS batch file, ASCII text]
β”œβ”€β”€ Linux.Trojan.Multiverze.elf.x86   [ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, with debug_info, not stripped]
β”œβ”€β”€ MadMan.exe                        [MS-DOS executable]
β”œβ”€β”€ Melissa.doc                       [Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.10, Code page: 1252, Title: Password List for March 26th 1999, Subject: Adult Website Passwords, Author: John Holmes, Keywords: 73 sites in this list, Comments: Password List for March 26th 1999, Template: Normal.dot, Last Saved By: Him, Revision Number: 2, Name of Creating Application: Microsoft Word 8.0, Create Time/Date: Fri Mar 26 11:39:00 1999, Last Saved Time/Date: Fri Mar 26 11:39:00 1999, Number of Pages: 2, Number of Words: 745, Number of Characters: 4249, Security: 0]
β”œβ”€β”€ Py.Trojan.NecroBot.py             [Python script, ASCII text executable, with very long lines (4330), with CRLF line terminators]
β”œβ”€β”€ TrojanSpy.MacOS.XCSSET.A          [Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
β”œβ”€β”€ Trojan.Java.Fractureiser.MTB.jar  [Trojan:Java/Fractureiser!MTB]
β”œβ”€β”€ Txt.Malware.Sustes.sh             [Bourne-Again shell script, ASCII text executable]
β”œβ”€β”€ Unix.Downloader.Rocke.sh          [POSIX shell script, ASCII text executable]
β”œβ”€β”€ Unix.Malware.Kaiji.elf.arm        [ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=9fdmXJhReUX31Gj9ZEYg/ufudXOOpAambiyMItr13/otwZTTTdWsnO_OuvAAn-/qn6mMLxbKwGft_Ecoum6, stripped]
β”œβ”€β”€ Unix.Trojan.Mirai.elf.m68k        [ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped]
β”œβ”€β”€ Unix.Trojan.Mirai.elf.mips        [ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, not stripped]
β”œβ”€β”€ Unix.Trojan.Mirai.elf.ppc         [ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, not stripped]
β”œβ”€β”€ Unix.Trojan.Mirai.elf.sparc       [ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, not stripped]
β”œβ”€β”€ Unix.Trojan.Mirai.elf.x86_64      [ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped]
β”œβ”€β”€ Unix.Trojan.Spike.elf.arm         [ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, with debug_info, not stripped]
β”œβ”€β”€ Walker.com                        [DOS executable (COM), start instruction 0xe9cd04e8 5400e871]
β”œβ”€β”€ WannaCry.exe                      [PE32 executable (GUI) Intel 80386, for MS Windows]
β”œβ”€β”€ Win.Trojan.Perl.perl              [Perl script text executable]
β”œβ”€β”€ Zloader.xlsm                      [Microsoft Excel 2007+]
β”œβ”€β”€ eicar
β”‚Β Β  β”œβ”€β”€ eicar.com                     [EICAR virus test files]
β”‚Β Β  β”œβ”€β”€ eicar.com.txt                 [EICAR virus test files]
β”‚Β Β  └── eicarcom2.zip                 [Zip archive data, at least v1.0 to extract]
└── xmrig
    β”œβ”€β”€ xmrig                         [ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, stripped]
    └── xmrig-linux-static-x64.tar.gz [gzip compressed data, last modified: Sun Oct 23 10:50:44 2022, from Unix, original size modulo 2^32 8898560]

List of malware/ransomware/crypto miner files:

Deployment of the vulnerable image

There are several ways how to run the "malware container image" and there are few of them.

CloudFormation - EC2 instance

Run the EC2 instance with docker and the quay.io/petr_ruzicka/malware-cryptominer-container container with SSM enabled (only console access):

export AWS_DEFAULT_REGION="eu-central-1"

aws cloudformation deploy --capabilities CAPABILITY_IAM \
  --stack-name "${USER}-malware-cryptominer-container-ec2" \
  --parameter-overrides "ContainerImage=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2" \
  --template-file EC2InstanceWithDockerSample.yaml \
  --tags "Name=${USER}-malware-cryptominer-container-ec2"

# aws cloudformation delete-stack --stack-name ${USER}-malware-cryptominer-container-ec2

Amazon ECS

Copilot example:

export AWS_DEFAULT_REGION="eu-central-1"

copilot init --app "${USER}-malware-cryptominer-app" --name "${USER}-malware-cryptominer" \
  --image quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2 \
  --type 'Load Balanced Web Service' --port 8080 --deploy

# copilot app delete --name "${USER}-malware-cryptominer-app"

Amazon EKS

Run simple Amazon EKS cluster with "malware pod":

export AWS_DEFAULT_REGION="eu-central-1"
export CLUSTER_NAME="${USER}-malware-cryptominer-eks"
export KUBECONFIG="/tmp/kubeconfig-${CLUSTER_NAME}.conf"

eksctl create cluster --name "${CLUSTER_NAME}" --instance-types t3a.small --kubeconfig "${KUBECONFIG}"
kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2

# eksctl delete cluster --name "${CLUSTER_NAME}"

Scanner tests

Few scanners which I used to identify the problems inside container image. (results will change in the future)

  • Scanner tests were executed on: 2023-01-04
  • Image version: quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0

Aqua Scanner

❯ docker pull quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
❯ docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock registry.aquasec.com/scanner:2022.4 \
  -H https://xxxxxxxxx.cloud.aquasec.com -U 'ruzickap-scanner-test' -P 'xxxxxxx' \
  scan --local --scan-malware --collect-sensitive quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
2023-01-04 10:08:41.610   INFO    Logger started with level INFO
2023-01-04 10:08:46.642   INFO    Registering with server {"os": "linux", "os_version": "", "registries": []}
2023-01-04 10:08:46.846   INFO    Successfully registered {"scanner_id": 13712}
2023-01-04 10:08:47.372   INFO    Starting Scan Image {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c"}
2023-01-04 10:08:47.696   INFO    Start getting image information from registry... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397"}
2023-01-04 10:08:47.698   INFO    Connecting to registry... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397"}
2023-01-04 10:08:47.703   INFO    Requesting authorization to pull image... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397"}
2023-01-04 10:08:47.822   INFO    Getting image manifest... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397"}
2023-01-04 10:08:47.827   INFO    Found several platforms matching request, choosing first one {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "selected": "amd64::linux:", "matches": ["amd64::linux:"]}
2023-01-04 10:08:47.827   INFO    Getting image history... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:47.827   INFO    Getting image metadata... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:47.928   INFO    Working with Layer Digest Ids {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:47.930   INFO    End getting image information from registry... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 0}
2023-01-04 10:08:47.930   INFO    Start getting assurance policies from server... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:47.930   INFO    Getting assurance policies... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:48.128   INFO    End getting assurance policies from server... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 1}
2023-01-04 10:08:48.128   INFO    Start fetching security feed from server... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:48.229   INFO    Latest security feeds need to be pulled from server. {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:48.352   INFO    Latest security feeds need to be pulled from server. {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:48.472   INFO    Latest security feeds need to be pulled from server. {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:48.720   INFO    End fetching security feed from server... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 0}
2023-01-04 10:08:48.720   INFO    Start pulling image... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:48.720   INFO    Start pulling image in Dockerless mode... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:50.849   INFO    End pulling image in Dockerless mode... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 2}
2023-01-04 10:08:50.850   INFO    End pulling image {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 2}
2023-01-04 10:08:50.850   INFO    Start analyzing image layer by layer without Docker... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:50.852   INFO    Start analyzing image by layer without Docker... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:51.938   INFO    End analyzing image by layer without Docker... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 1}
2023-01-04 10:08:51.939   INFO    End analyzing image layer by layer without Docker... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:51.939   INFO    Contacting CyberCenter... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:52.390   INFO    Start merging layers analysis... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:52.390   INFO    End merging layers analysis... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 0}
2023-01-04 10:08:52.391   INFO    Start Contacting CyberCenter... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:52.617   INFO    End Contacting CyberCenter... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 0}
2023-01-04 10:08:52.618   INFO    Start processing results... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:52.728   INFO    End processing results... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 0}
2023-01-04 10:08:52.729   INFO    Start applying assurance policies... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:52.932   INFO    Applying image assurance policies... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:"}
2023-01-04 10:08:52.941   INFO    End applying assurance policies... {"registry": "", "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0", "requested platform": "amd64:::", "job ID": "cf845f13-f22a-41bb-bc07-48e6ffe4e02c", "server version": "2022.4.21541ab397", "scanning platform": "amd64::linux:", "seconds": 0}
2023-01-04 10:08:54.782   INFO    Skipping file hash saving.
{
  "image": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0",
  "scan_started": {
    "seconds": 1672826927,
    "nanos": 372585185
  },
  "scan_duration": 5,
  "image_size": 30934357,
  "digest": "sha256:5ab315d3255b83f72c9352d901fd5610cead689f73ed792eb9a411d73a522fc4",
  "metadata": {
    "repo_digests": [
      "quay.io/petr_ruzicka/malware-cryptominer-container@sha256:1f742ffe4aceb94534d84be9b5935deca8b6f5a934d9306f433522d4924400a9"
    ]
  },
  "os": "alpine",
  "version": "3.17.0",
  "image_assurance_results": {
    "checks_performed": [
      {
        "policy_id": 265,
        "policy_name": "mypolicy",
        "control": "root_user"
      },
    ...
    ...
    ...
    ]
  },
  "vulnerability_summary": {},
  "scan_options": {
    "scan_executables": true,
    "scan_sensitive_data": true,
    "scan_malware": true,
    "scan_files": true,
    "scan_timeout": 3600000000000,
    "manual_pull_fallback": true,
    "save_adhoc_scans": true,
    "use_cvss3": true,
    "dockerless": true,
    "system_image_platform": "amd64:::",
    "telemetry_enabled": true,
    "scan_elf": true,
    "enable_fast_scanning": true,
    "memoryThrottling": true,
    "suggest_os_upgrade": true,
    "seim_enabled": true,
    "adhoc_scan_retention": 30
  },
  "initiating_user": "ruzickap-scanner-test",
  "data_date": 1672816984,
  "pull_name": "quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0",
  "scan_id": 1337258,
  "required_image_platform": "amd64:::",
  "scanned_image_platform": "amd64::linux:",
  "security_feeds_used": {
    "executables": "ef4e6ffe9e909f"
  },
  "image_id": 2294916,
  "internal_digest_id": {
    "id": 216918
  },
  "local": true,
  "OriginFromHostImage": true,
  "CanSkipFileHashSave": true
}
2023-01-04 10:08:54.919   INFO    Deregistering from console
2023-01-04 10:08:55.024   INFO    Scan successfully completed.

Details from "Aqua Images" section:

Aqua - Image details Aqua - Images

Aqua details of container image running inside Amazon EKS cluster:

Aqua - Container image running in Amazon EKS

Trivy Scanner

❯ trivy image quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
2023-01-04T10:15:42.045Z   INFO    Vulnerability scanning is enabled
2023-01-04T10:15:42.046Z   INFO    Secret scanning is enabled
2023-01-04T10:15:42.047Z   INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-01-04T10:15:42.047Z   INFO    Please see also https://aquasecurity.github.io/trivy/v0.33/docs/secret/scanning/#recommendation for faster secret detection
2023-01-04T10:15:42.052Z   INFO    Detected OS: alpine
2023-01-04T10:15:42.052Z   INFO    This OS version is not on the EOL list: alpine 3.17
2023-01-04T10:15:42.052Z   INFO    Detecting Alpine vulnerabilities...
2023-01-04T10:15:42.054Z   INFO    Number of language-specific files: 0

quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0 (alpine 3.17.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Prisma Cloud Scanner

Files are extracted to the disk, where the scanner is running (local "antivirus" will detect the extracted malware files)

❯ docker pull quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
❯ twistcli images scan --address=https://us-west1.cloud.twistlock.com/xxxxxxxxxxxxxx --details --user xxxx --password xxxx quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
Scan results for: image quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0 sha256:5ab315d3255b83f72c9352d901fd5610cead689f73ed792eb9a411d73a522fc4
Vulnerabilities
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
|      CVE       | SEVERITY | CVSS | PACKAGE | VERSION  |          STATUS          |  PUBLISHED  | DISCOVERED |                    DESCRIPTION                     |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-38297 | critical | 9.80 | go      | 1.14.4   | fixed in 1.17.2, 1.16.9  | > 1 years   | < 1 hour   | Go before 1.16.9 and 1.17.x before 1.17.2 has a    |
|                |          |      |         |          | > 1 years ago            |             |            | Buffer Overflow via large arguments in a function  |
|                |          |      |         |          |                          |             |            | invocation from a WASM module, when GOARCH=wasm    |
|                |          |      |         |          |                          |             |            | GOOS...                                            |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-23806 | critical | 9.10 | go      | 1.14.4   | fixed in 1.17.7, 1.16.14 | > 10 months | < 1 hour   | Curve.IsOnCurve in crypto/elliptic in Go before    |
|                |          |      |         |          | > 10 months ago          |             |            | 1.16.14 and 1.17.x before 1.17.7 can incorrectly   |
|                |          |      |         |          |                          |             |            | return true in situations with a big.Int value     |
|                |          |      |         |          |                          |             |            | that i...                                          |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30580 | high     | 7.80 | go      | 1.14.4   | fixed in 1.18.3, 1.17.11 | > 4 months  | < 1 hour   | Code injection in Cmd.Start in os/exec before      |
|                |          |      |         |          | > 4 months ago           |             |            | Go 1.17.11 and Go 1.18.3 allows execution of any   |
|                |          |      |         |          |                          |             |            | binaries in the working directory named either     |
|                |          |      |         |          |                          |             |            | \"..com\...                                        |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41715 | high     | 7.50 | go      | 1.14.4   | fixed in 1.19.2, 1.18.7  | 81 days     | < 1 hour   | Programs which compile regular expressions from    |
|                |          |      |         |          | 81 days ago              |             |            | untrusted sources may be vulnerable to memory      |
|                |          |      |         |          |                          |             |            | exhaustion or denial of service. The parsed regexp |
|                |          |      |         |          |                          |             |            | repre...                                           |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-3996  | high     | 7.50 | openssl | 3.0.7-r0 | fixed in 3.0.7-r2        | 21 days     | < 1 hour   | If an X.509 certificate contains a malformed       |
|                |          |      |         |          | 1 hours ago              |             |            | policy constraint and policy processing is         |
|                |          |      |         |          |                          |             |            | enabled, then a write lock will be taken twice     |
|                |          |      |         |          |                          |             |            | recursively. On...                                 |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-32189 | high     | 7.50 | go      | 1.14.4   | fixed in 1.18.5, 1.17.13 | > 4 months  | < 1 hour   | A too-short encoded message can cause a panic in   |
|                |          |      |         |          | > 4 months ago           |             |            | Float.GobDecode and Rat GobDecode in math/big in   |
|                |          |      |         |          |                          |             |            | Go before 1.17.13 and 1.18.5, potentially allowing |
|                |          |      |         |          |                          |             |            | a...                                               |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30635 | high     | 7.50 | go      | 1.14.4   | fixed in 1.18.4, 1.17.12 | > 4 months  | < 1 hour   | Uncontrolled recursion in Decoder.Decode in        |
|                |          |      |         |          | > 4 months ago           |             |            | encoding/gob before Go 1.17.12 and Go 1.18.4       |
|                |          |      |         |          |                          |             |            | allows an attacker to cause a panic due to stack   |
|                |          |      |         |          |                          |             |            | exhaustion v...                                    |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30633 | high     | 7.50 | go      | 1.14.4   | fixed in 1.18.4, 1.17.12 | > 4 months  | < 1 hour   | Uncontrolled recursion in Unmarshal in             |
|                |          |      |         |          | > 4 months ago           |             |            | encoding/xml before Go 1.17.12 and Go 1.18.4       |
|                |          |      |         |          |                          |             |            | allows an attacker to cause a panic due to stack   |
|                |          |      |         |          |                          |             |            | exhaustion via un...                               |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30632 | high     | 7.50 | go      | 1.14.4   | fixed in 1.18.4, 1.17.12 | > 4 months  | < 1 hour   | Uncontrolled recursion in Glob in path/filepath    |
|                |          |      |         |          | > 4 months ago           |             |            | before Go 1.17.12 and Go 1.18.4 allows an attacker |
|                |          |      |         |          |                          |             |            | to cause a panic due to stack exhaustion via a     |
|                |          |      |         |          |                          |             |            | path...                                            |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30631 | high     | 7.50 | go      | 1.14.4   | fixed in 1.18.4, 1.17.12 | > 4 months  | < 1 hour   | Uncontrolled recursion in Reader.Read in           |
|                |          |      |         |          | > 4 months ago           |             |            | compress/gzip before Go 1.17.12 and Go 1.18.4      |
|                |          |      |         |          |                          |             |            | allows an attacker to cause a panic due to stack   |
|                |          |      |         |          |                          |             |            | exhaustion via...                                  |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30630 | high     | 7.50 | go      | 1.14.4   | fixed in 1.18.4, 1.17.12 | > 4 months  | < 1 hour   | Uncontrolled recursion in Glob in io/fs before Go  |
|                |          |      |         |          | > 4 months ago           |             |            | 1.17.12 and Go 1.18.4 allows an attacker to cause  |
|                |          |      |         |          |                          |             |            | a panic due to stack exhaustion via a path which   |
|                |          |      |         |          |                          |             |            | c...                                               |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-2880  | high     | 7.50 | go      | 1.14.4   | fixed in 1.19.2, 1.18.7  | 81 days     | < 1 hour   | Requests forwarded by ReverseProxy include the     |
|                |          |      |         |          | 81 days ago              |             |            | raw query parameters from the inbound request,     |
|                |          |      |         |          |                          |             |            | including unparseable parameters rejected by       |
|                |          |      |         |          |                          |             |            | net/http. T...                                     |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-2879  | high     | 7.50 | go      | 1.14.4   | fixed in 1.19.2, 1.18.7  | 81 days     | < 1 hour   | Reader.Read does not set a limit on the maximum    |
|                |          |      |         |          | 81 days ago              |             |            | size of file headers. A maliciously crafted        |
|                |          |      |         |          |                          |             |            | archive could cause Read to allocate unbounded     |
|                |          |      |         |          |                          |             |            | amounts of ...                                     |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-28327 | high     | 7.50 | go      | 1.14.4   | fixed in 1.18.1, 1.17.9  | > 8 months  | < 1 hour   | The generic P-256 feature in crypto/elliptic in    |
|                |          |      |         |          | > 8 months ago           |             |            | Go before 1.17.9 and 1.18.x before 1.18.1 allows a |
|                |          |      |         |          |                          |             |            | panic via long scalar input.                       |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-28131 | high     | 7.50 | go      | 1.14.4   | fixed in 1.18.4, 1.17.12 | > 4 months  | < 1 hour   | Uncontrolled recursion in Decoder.Skip in          |
|                |          |      |         |          | > 4 months ago           |             |            | encoding/xml before Go 1.17.12 and Go 1.18.4       |
|                |          |      |         |          |                          |             |            | allows an attacker to cause a panic due to stack   |
|                |          |      |         |          |                          |             |            | exhaustion via...                                  |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-27664 | high     | 7.50 | go      | 1.14.4   | fixed in 1.19.1, 1.18.6  | > 3 months  | < 1 hour   | In net/http in Go before 1.18.6 and 1.19.x before  |
|                |          |      |         |          | > 3 months ago           |             |            | 1.19.1, attackers can cause a denial of service    |
|                |          |      |         |          |                          |             |            | because an HTTP/2 connection can hang during       |
|                |          |      |         |          |                          |             |            | closing...                                         |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-24921 | high     | 7.50 | go      | 1.14.4   | fixed in 1.17.8, 1.16.15 | > 10 months | < 1 hour   | regexp.Compile in Go before 1.16.15 and 1.17.x     |
|                |          |      |         |          | > 10 months ago          |             |            | before 1.17.8 allows stack exhaustion via a deeply |
|                |          |      |         |          |                          |             |            | nested expression.                                 |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-24675 | high     | 7.50 | go      | 1.14.4   | fixed in 1.18.1, 1.17.9  | > 8 months  | < 1 hour   | encoding/pem in Go before 1.17.9 and 1.18.x before |
|                |          |      |         |          | > 8 months ago           |             |            | 1.18.1 has a Decode stack overflow via a large     |
|                |          |      |         |          |                          |             |            | amount of PEM data.                                |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-23773 | high     | 7.50 | go      | 1.14.4   | fixed in 1.17.7, 1.16.14 | > 10 months | < 1 hour   | cmd/go in Go before 1.16.14 and 1.17.x before      |
|                |          |      |         |          | > 10 months ago          |             |            | 1.17.7 can misinterpret branch names that falsely  |
|                |          |      |         |          |                          |             |            | appear to be version tags. This can lead to        |
|                |          |      |         |          |                          |             |            | incorrect ...                                      |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-23772 | high     | 7.50 | go      | 1.14.4   | fixed in 1.17.7, 1.16.14 | > 10 months | < 1 hour   | Rat.SetString in math/big in Go before 1.16.14 and |
|                |          |      |         |          | > 10 months ago          |             |            | 1.17.x before 1.17.7 has an overflow that can lead |
|                |          |      |         |          |                          |             |            | to Uncontrolled Memory Consumption.                |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-44716 | high     | 7.50 | go      | 1.14.4   | fixed in 1.17.5, 1.16.12 | > 1 years   | < 1 hour   | net/http in Go before 1.16.12 and 1.17.x before    |
|                |          |      |         |          | > 1 years ago            |             |            | 1.17.5 allows uncontrolled memory consumption      |
|                |          |      |         |          |                          |             |            | in the header canonicalization cache via HTTP/2    |
|                |          |      |         |          |                          |             |            | requests...                                        |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-41772 | high     | 7.50 | go      | 1.14.4   | fixed in 1.17.3, 1.16.10 | > 1 years   | < 1 hour   | Go before 1.16.10 and 1.17.x before 1.17.3 allows  |
|                |          |      |         |          | > 1 years ago            |             |            | an archive/zip Reader.Open panic via a crafted     |
|                |          |      |         |          |                          |             |            | ZIP archive containing an invalid name or an empty |
|                |          |      |         |          |                          |             |            | fi...                                              |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-41771 | high     | 7.50 | go      | 1.14.4   | fixed in 1.17.3, 1.16.10 | > 1 years   | < 1 hour   | ImportedSymbols in debug/macho (for Open or        |
|                |          |      |         |          | > 1 years ago            |             |            | OpenFat) in Go before 1.16.10 and 1.17.x before    |
|                |          |      |         |          |                          |             |            | 1.17.3 Accesses a Memory Location After the End of |
|                |          |      |         |          |                          |             |            | a Buffe...                                         |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-39293 | high     | 7.50 | go      | 1.14.4   | fixed in 1.17.1, 1.16.8  | > 11 months | < 1 hour   | In archive/zip in Go before 1.16.8 and 1.17.x      |
|                |          |      |         |          | > 11 months ago          |             |            | before 1.17.1, a crafted archive header (falsely   |
|                |          |      |         |          |                          |             |            | designating that many files are present) can cause |
|                |          |      |         |          |                          |             |            | a Ne...                                            |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-33198 | high     | 7.50 | go      | 1.14.4   | fixed in 1.16.5, 1.15.13 | > 1 years   | < 1 hour   | In Go before 1.15.13 and 1.16.x before 1.16.5,     |
|                |          |      |         |          | > 1 years ago            |             |            | there can be a panic for a large exponent to the   |
|                |          |      |         |          |                          |             |            | math/big.Rat SetString or UnmarshalText method.    |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-33196 | high     | 7.50 | go      | 1.14.4   | fixed in 1.16.5, 1.15.13 | > 1 years   | < 1 hour   | In archive/zip in Go before 1.15.13 and 1.16.x     |
|                |          |      |         |          | > 1 years ago            |             |            | before 1.16.5, a crafted file count (in an         |
|                |          |      |         |          |                          |             |            | archive\'s header) can cause a NewReader or        |
|                |          |      |         |          |                          |             |            | OpenReader panic...                                |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-33194 | high     | 7.50 | go      | 1.14.4   | fixed in 1.16.5, 1.15.13 | > 1 years   | < 1 hour   | golang.org/x/net before                            |
|                |          |      |         |          | 30 days ago              |             |            | v0.0.0-20210520170846-37e1c6afe023 allows          |
|                |          |      |         |          |                          |             |            | attackers to cause a denial of service (infinite   |
|                |          |      |         |          |                          |             |            | loop) via crafted ParseFragment inp...             |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-29923 | high     | 7.50 | go      | 1.14.4   | fixed in 1.17            | > 1 years   | < 1 hour   | Go before 1.17 does not properly consider          |
|                |          |      |         |          | > 1 years ago            |             |            | extraneous zero characters at the beginning of     |
|                |          |      |         |          |                          |             |            | an IP address octet, which (in some situations)    |
|                |          |      |         |          |                          |             |            | allows attack...                                   |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-27918 | high     | 7.50 | go      | 1.14.4   | fixed in 1.16.1, 1.15.9  | > 1 years   | < 1 hour   | encoding/xml in Go before 1.15.9 and 1.16.x        |
|                |          |      |         |          | > 1 years ago            |             |            | before 1.16.1 has an infinite loop if a custom     |
|                |          |      |         |          |                          |             |            | TokenReader (for xml.NewTokenDecoder) returns EOF  |
|                |          |      |         |          |                          |             |            | in the mi...                                       |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-28367 | high     | 7.50 | go      | 1.14.4   | fixed in 1.15.5, 1.14.12 | > 2 years   | < 1 hour   | Code injection in the go command with cgo before   |
|                |          |      |         |          | > 2 years ago            |             |            | Go 1.14.12 and Go 1.15.5 allows arbitrary code     |
|                |          |      |         |          |                          |             |            | execution at build time via malicious gcc flags    |
|                |          |      |         |          |                          |             |            | specif...                                          |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-28366 | high     | 7.50 | go      | 1.14.4   | fixed in 1.15.5, 1.14.12 | > 2 years   | < 1 hour   | Code injection in the go command with cgo before   |
|                |          |      |         |          | > 2 years ago            |             |            | Go 1.14.12 and Go 1.15.5 allows arbitrary code     |
|                |          |      |         |          |                          |             |            | execution at build time via a malicious unquoted   |
|                |          |      |         |          |                          |             |            | symbo...                                           |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-28362 | high     | 7.50 | go      | 1.14.4   | fixed in 1.15.4, 1.14.12 | > 2 years   | < 1 hour   | Go before 1.14.12 and 1.15.x before 1.15.4 allows  |
|                |          |      |         |          | > 2 years ago            |             |            | Denial of Service.                                 |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-16845 | high     | 7.50 | go      | 1.14.4   | fixed in 1.14.7, 1.13.15 | > 2 years   | < 1 hour   | Go before 1.13.15 and 14.x before 1.14.7 can       |
|                |          |      |         |          | > 2 years ago            |             |            | have an infinite read loop in ReadUvarint and      |
|                |          |      |         |          |                          |             |            | ReadVarint in encoding/binary via invalid inputs.  |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-33195 | high     | 7.30 | go      | 1.14.4   | fixed in 1.16.5, 1.15.13 | > 1 years   | < 1 hour   | Go before 1.15.13 and 1.16.x before 1.16.5 has     |
|                |          |      |         |          | > 1 years ago            |             |            | functions for DNS lookups that do not validate     |
|                |          |      |         |          |                          |             |            | replies from DNS servers, and thus a return value  |
|                |          |      |         |          |                          |             |            | may co...                                          |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-32148 | medium   | 6.50 | go      | 1.14.4   | fixed in 1.18.4, 1.17.12 | > 4 months  | < 1 hour   | Improper exposure of client IP addresses           |
|                |          |      |         |          | > 4 months ago           |             |            | in net/http before Go 1.17.12 and Go               |
|                |          |      |         |          |                          |             |            | 1.18.4 can be triggered by calling                 |
|                |          |      |         |          |                          |             |            | httputil.ReverseProxy.ServeHTTP with ...           |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-1705  | medium   | 6.50 | go      | 1.14.4   | fixed in 1.18.4, 1.17.12 | > 4 months  | < 1 hour   | Acceptance of some invalid Transfer-Encoding       |
|                |          |      |         |          | > 4 months ago           |             |            | headers in the HTTP/1 client in net/http before    |
|                |          |      |         |          |                          |             |            | Go 1.17.12 and Go 1.18.4 allows HTTP request       |
|                |          |      |         |          |                          |             |            | smuggling if...                                    |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-34558 | medium   | 6.50 | go      | 1.14.4   | fixed in 1.16.6, 1.15.14 | > 1 years   | < 1 hour   | The crypto/tls package of Go through 1.16.5 does   |
|                |          |      |         |          | > 1 years ago            |             |            | not properly assert that the type of public key    |
|                |          |      |         |          |                          |             |            | in an X.509 certificate matches the expected type  |
|                |          |      |         |          |                          |             |            | whe...                                             |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-3114  | medium   | 6.50 | go      | 1.14.4   | fixed in 1.15.7, 1.14.14 | > 1 years   | < 1 hour   | In Go before 1.14.14 and 1.15.x before 1.15.7,     |
|                |          |      |         |          | > 1 years ago            |             |            | crypto/elliptic/p224.go can generate incorrect     |
|                |          |      |         |          |                          |             |            | outputs, related to an underflow of the lowest     |
|                |          |      |         |          |                          |             |            | limb duri...                                       |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-24553 | medium   | 6.10 | go      | 1.14.4   | fixed in 1.15.1, 1.14.8  | > 2 years   | < 1 hour   | Go before 1.14.8 and 1.15.x before 1.15.1 allows   |
|                |          |      |         |          | > 2 years ago            |             |            | XSS because text/html is the default for CGI/FCGI  |
|                |          |      |         |          |                          |             |            | handlers that lack a Content-Type header.          |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-36221 | medium   | 5.90 | go      | 1.14.4   | fixed in 1.16.7, 1.15.15 | > 1 years   | < 1 hour   | Go before 1.15.15 and 1.16.x before 1.16.7         |
|                |          |      |         |          | > 1 years ago            |             |            | has a race condition that can lead to a            |
|                |          |      |         |          |                          |             |            | net/http/httputil ReverseProxy panic upon an       |
|                |          |      |         |          |                          |             |            | ErrAbortHandler abort.                             |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-31525 | medium   | 5.90 | go      | 1.14.4   | fixed in 1.16.4, 1.15.12 | > 1 years   | < 1 hour   | net/http in Go before 1.15.12 and 1.16.x before    |
|                |          |      |         |          | > 1 years ago            |             |            | 1.16.4 allows remote attackers to cause a          |
|                |          |      |         |          |                          |             |            | denial of service (panic) via a large header to    |
|                |          |      |         |          |                          |             |            | ReadRequest ...                                    |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-15586 | medium   | 5.90 | go      | 1.14.4   | fixed in 1.14.5, 1.13.13 | > 2 years   | < 1 hour   | Go before 1.13.13 and 1.14.x before 1.14.5         |
|                |          |      |         |          | > 2 years ago            |             |            | has a data race in some net/http servers, as       |
|                |          |      |         |          |                          |             |            | demonstrated by the httputil.ReverseProxy Handler, |
|                |          |      |         |          |                          |             |            | because it ...                                     |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-29510 | medium   | 5.60 | go      | 1.14.4   | fixed in 1.15.1          | > 2 years   | < 1 hour   | The encoding/xml package in Go versions 1.15 and   |
|                |          |      |         |          | 30 days ago              |             |            | earlier does not correctly preserve the semantics  |
|                |          |      |         |          |                          |             |            | of directives during tokenization round-trips,     |
|                |          |      |         |          |                          |             |            | which...                                            |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-1962  | medium   | 5.50 | go      | 1.14.4   | fixed in 1.18.4, 1.17.12 | > 4 months  | < 1 hour   | Uncontrolled recursion in the Parse functions in   |
|                |          |      |         |          | > 4 months ago           |             |            | go/parser before Go 1.17.12 and Go 1.18.4 allow an |
|                |          |      |         |          |                          |             |            | attacker to cause a panic due to stack exhaustion  |
|                |          |      |         |          |                          |             |            | ...                                                |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41716 | medium   | 5.40 | go      | 1.14.4   | fixed in 1.19.3, 1.18.8  | 62 days     | < 1 hour   | Due to unsanitized NUL values, attackers may be    |
|                |          |      |         |          | 61 days ago              |             |            | able to maliciously set environment variables on   |
|                |          |      |         |          |                          |             |            | Windows. In syscall.StartProcess and os/exec.Cmd,  |
|                |          |      |         |          |                          |             |            | inv...                                             |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-41717 | medium   | 5.30 | go      | 1.14.4   | fixed in 1.19.4, 1.18.9  | 26 days     | < 1 hour   | An attacker can cause excessive memory growth in a |
|                |          |      |         |          | 22 days ago              |             |            | Go server accepting HTTP/2 requests. HTTP/2 server |
|                |          |      |         |          |                          |             |            | connections contain a cache of HTTP header keys    |
|                |          |      |         |          |                          |             |            | ...                                                |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2021-33197 | medium   | 5.30 | go      | 1.14.4   | fixed in 1.16.5, 1.15.13 | > 1 years   | < 1 hour   | In Go before 1.15.13 and 1.16.x before 1.16.5,     |
|                |          |      |         |          | > 1 years ago            |             |            | some configurations of ReverseProxy (from          |
|                |          |      |         |          |                          |             |            | net/http/httputil) result in a situation where an  |
|                |          |      |         |          |                          |             |            | attacker is...                                     |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2020-14039 | medium   | 5.30 | go      | 1.14.4   | fixed in 1.14.5, 1.13.13 | > 2 years   | < 1 hour   | In Go before 1.13.13 and 1.14.x before 1.14.5,     |
|                |          |      |         |          | > 2 years ago            |             |            | Certificate.Verify may lack a check on the         |
|                |          |      |         |          |                          |             |            | VerifyOptions.KeyUsages EKU requirements (if       |
|                |          |      |         |          |                          |             |            | VerifyOptions.R...                                 |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+
| CVE-2022-30629 | low      | 3.10 | go      | 1.14.4   | fixed in 1.18.3, 1.17.11 | > 4 months  | < 1 hour   | Non-random values for ticket_age_add in session    |
|                |          |      |         |          | > 4 months ago           |             |            | tickets in crypto/tls before Go 1.17.11 and Go     |
|                |          |      |         |          |                          |             |            | 1.18.3 allow an attacker that can observe TLS      |
|                |          |      |         |          |                          |             |            | handshake...                                       |
+----------------+----------+------+---------+----------+--------------------------+-------------+------------+----------------------------------------------------+

Vulnerabilities found for image quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0: total - 49, critical - 2, high - 32, medium - 14, low - 1
Vulnerability threshold check results: PASS

Compliance Issues
+----------+------------------------------------------------+
| SEVERITY |                  DESCRIPTION                   |
+----------+------------------------------------------------+
| critical | Image contains malware                         |
+----------+------------------------------------------------+
| critical | Image contains malware                         |
+----------+------------------------------------------------+
| critical | Image contains malware                         |
+----------+------------------------------------------------+
| critical | Image contains malware                         |
+----------+------------------------------------------------+
| critical | Image contains malware                         |
+----------+------------------------------------------------+
| critical | Image contains malware                         |
+----------+------------------------------------------------+
| critical | Image contains malware                         |
+----------+------------------------------------------------+
| critical | Image contains malware                         |
+----------+------------------------------------------------+
| high     | Image contains binaries used for crypto mining |
+----------+------------------------------------------------+

Compliance found for image quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0: total - 9, critical - 8, high - 1, medium - 0, low - 0
Compliance threshold check results: PASS
Link to the results in Console: https://app4.prismacloud.io/compute?computeState=/monitor/vulnerabilities/images/ci?search=sha256%3A5ab315d3255b83f72c9352d901fd5610cead689f73ed792eb9a411d73a522fc4

Detsils from Prisma Cloud - "Compute -> Monitor -> Vulnerabilities -> Images -> CI":

Prisma Cloud - Image details

Wiz.io Scanner

Files are extracted to the disk, where the scanner is running (local "antivirus" will detect the extracted malware files)

❯ docker pull quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
❯ wizcli docker scan --image quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
           _            _ _
 __      _(_)____   ___| (_)
 \ \ /\ / / |_  /  / __| | |
  \ V  V /| |/ /  | (__| | |
   \_/\_/ |_/___|  \___|_|_|
 SUCCESS  Ready to scan Docker image quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
 SUCCESS  Scanned Docker image
 SUCCESS  Docker image scan analysis ready
OS Package vulnerabilities:
    Name: libcrypto3, Version: 3.0.7-r0
        CVE-2022-3996, Severity: HIGH, Source: https://security.alpinelinux.org/vuln/CVE-2022-3996
            🩹 Fixed version: 3.0.7-r2
    Name: libssl3, Version: 3.0.7-r0
        CVE-2022-3996, Severity: HIGH, Source: https://security.alpinelinux.org/vuln/CVE-2022-3996
            🩹 Fixed version: 3.0.7-r2

Evaluated policy: Default vulnerabilities policy
Vulnerabilities: CRITICAL: 0, HIGH: 2, MEDIUM: 0, LOW: 0, INFORMATIONAL: 0
    Total: 2, out of which 2 are fixable
Scan results: PASSED. Container image meets policy requirements

Wiz details form "Reports -> CI/CD Scans":

Wiz CICD Scans - Container image

Wiz details of container image running inside Amazon EKS cluster (Dashboard -> Malware -> ...):

Wiz - Container image running in Amazon EKS

Anchore - Grype Scanner

Files are extracted to the disk, where the scanner is running (local "antivirus" will detect the extracted malware files)

❯ grype --scope all-layers quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
 βœ” Vulnerability DB        [no update available]
 βœ” Loaded image
 βœ” Parsed image
 βœ” Cataloged packages      [34 packages]
 βœ” Scanned image           [2 vulnerabilities]
NAME        INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
libcrypto3  3.0.7-r0             apk   CVE-2022-3996  High
libssl3     3.0.7-r0             apk   CVE-2022-3996  High

Snyk Scanner

❯ docker scan quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0

Testing quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0...

Package manager:   apk
Project name:      docker-image|quay.io/petr_ruzicka/malware-cryptominer-container
Docker image:      quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
Platform:          linux/amd64
Base image:        alpine:3.17.0

βœ” Tested 19 dependencies for known vulnerabilities, no vulnerable paths found.

According to our scan, you are currently using the most secure version of the selected base image

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

Details form Snyk web interface:

Snyk - Container image

ClamAV

There is the output of the ClamAV scanner which was executed inside container:

$ docker run -it --rm --entrypoint=/bin/sh --user root -p 8080:8080 quay.io/petr_ruzicka/malware-cryptominer-container:1.4.0
# apk add clamav
# freshclam
# clamscan --infected --recursive /usr/share/nginx/html/
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.sparc: Unix.Trojan.Mirai-6976991-0 FOUND
/usr/share/nginx/html/Win.Trojan.Perl.perl: Win.Trojan.Perl-35 FOUND
/usr/share/nginx/html/xmrig/xmrig: Unix.Trojan.Generic-9919438-0 FOUND
/usr/share/nginx/html/xmrig/xmrig-linux-static-x64.tar.gz: Unix.Trojan.Generic-9919438-0 FOUND
/usr/share/nginx/html/MadMan.exe: Win.Trojan.MadMan-1 FOUND
/usr/share/nginx/html/ILOVEYOU.vbs: Win.Worm.Mantan-1 FOUND
/usr/share/nginx/html/Linux.Trojan.Multiverze.elf.x86: Unix.Trojan.Mirai-9977540-0 FOUND
/usr/share/nginx/html/Melissa.doc: Win.Trojan.Psycho-3 FOUND
/usr/share/nginx/html/WannaCry.exe: Win.Ransomware.Wannacryptor-6993233-1 FOUND
/usr/share/nginx/html/eicar/eicar.com: Win.Test.EICAR_HDB-1 FOUND
/usr/share/nginx/html/eicar/eicarcom2.zip: Win.Test.EICAR_HDB-1 FOUND
/usr/share/nginx/html/eicar/eicar.com.txt: Win.Test.EICAR_HDB-1 FOUND
/usr/share/nginx/html/Walker.com: Win.Trojan.Abraxas-7 FOUND
/usr/share/nginx/html/Unix.Trojan.Spike.elf.arm: Unix.Trojan.Spike-6301360-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.mips: Unix.Trojan.Mirai-6981169-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.m68k: Unix.Trojan.Mirai-6981989-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.ppc: Unix.Trojan.Mirai-6981169-0 FOUND
/usr/share/nginx/html/Unix.Malware.Kaiji.elf.arm: Unix.Malware.Kaiji-9760851-0 FOUND
/usr/share/nginx/html/Txt.Malware.Sustes.sh: Txt.Malware.Sustes-6779550-1 FOUND
/usr/share/nginx/html/Unix.Downloader.Rocke.sh: Unix.Downloader.Rocke-6826000-0 FOUND
/usr/share/nginx/html/Unix.Trojan.Mirai.elf.x86_64: Unix.Trojan.Mirai-7732430-0 FOUND
/usr/share/nginx/html/L0Lz.bat: Win.Trojan.BAT-111 FOUND
/usr/share/nginx/html/TrojanSpy.MacOS.XCSSET.A: Osx.Malware.Agent-9319628-0 FOUND
/usr/share/nginx/html/Py.Trojan.NecroBot.py: Py.Trojan.NecroBot-9868091-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8647075
Engine version: 0.105.1
Scanned directories: 4
Scanned files: 34
Infected files: 24
Data scanned: 25.70 MB
Data read: 18.47 MB (ratio 1.39:1)
Time: 250.429 sec (4 m 10 s)
Start Date: 2023:01:04 08:02:40
End Date:   2023:01:04 08:06:51

Verify image integrity

IMAGE="quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2"

cosign verify "${IMAGE}" | jq
cosign verify "${IMAGE}" | jq -r '.[].optional| .Issuer + " | " + .Subject + " | " + .githubWorkflowRef + " | https://rekor.tlog.dev/?logIndex=" + (.Bundle.Payload.logIndex|tostring)'
cosign triangulate "${IMAGE}"
cosign tree "${IMAGE}"
cosign verify-attestation --type cyclonedx "${IMAGE}" | jq '.payload |= @base64d | .payload | fromjson'
cosign verify-attestation --type slsaprovenance "${IMAGE}" | jq '.payload |= @base64d | .payload | fromjson'

Local tests

Container build:

docker build . -t malware-cryptominer-container

Run container and download the malware file:

docker run -it --rm -p 8080:8080 malware-cryptominer-container

wget http://localhost:8080/eicar/eicar.com

Debug container:

docker run -it --rm --entrypoint=/bin/sh --user root -p 8080:8080 malware-cryptominer-container

Run in Kubernetes:

kubectl run malware-cryptominer --image=quay.io/petr_ruzicka/malware-cryptominer-container:2.0.2