A New Strain of Malware Is Terrorizing Docker Hosts
For the first time in history, researchers have discovered a crypto-jacking worm that spreads via unsecured Docker hosts.
Researchers at Unit 42 said that the new strain of malware has spread to more than 2,000 Docker hosts by using containers in the Docker Engine (Community Edition).
The new worm has been named Graboid after the fictional subterranean sandworms that made a fairly poor show of hunting humans in nineties flick Tremors. Just like its onscreen predecessors, the Graboid is quick but relatively incompetent.
Graboid is designed to work in a randomized way that researchers said holds no obvious benefits. The malware carries out both worm-spreading and crypto-jacking inside containers, picking three targets at each iteration.
Researchers wrote: "It installs the worm on the first target, stops the miner on the second target, and starts the miner on the third target. This procedure leads to a very random mining behavior.
"If my host is compromised, the malicious container does not start immediately. Instead, I have to wait until another compromised host picks me and starts my mining process. Other compromised hosts can also randomly stop my mining process. Essentially, the miner on every infected host is randomly controlled by all other infected hosts."
Graboid doesn't hang around for long, mining cryptocurrency Monero for an average of just over four minutes before picking new vulnerable hosts to target. The worm works by gaining an initial foothold through unsecured Docker daemons, where a Docker image was first installed to run on the compromised host.
Researchers warned that Graboid ..