In a very interesting development, the worlds of cryptojacking malware, worm-type mechanisms for direct propagation, and containerized workloads have collided with the news that the container-specific worm dubbed "Graboid" - (after the enormous sandworms featured in favorite 1990 B-movie Tremors) was discovered this month.

Cryptojacking malware is nothing new, in the past few years (as crypto-currency became increasingly popular) - a typical aim became to utilize the CPU resources of compromised machines to mine for a specific cryptocurrency (in this case Monero) rather than ransom for control of the host - or go after IP/card information directly.

There are some key aspects of the Graboid worm that grabbed (sorry) my attention. Namely:-

1:- The worm targets insecure, open Docker Engine instances; and utilizes them both for further spread and the crypto-mining itself. A quick shodan.io search picks these up easily.

2:- The random nature of the subsequent host choice and mining initiation – making detection more difficult.

3:- That both the initial infection and subsequent spread can be contained using a segmentation solution that covers both hosts and containers.

To expand on these points – the vector is to internet accessible docker hosts; which – once connected to; are ordered to download a malicious docker image. This image contains a client tool used to communicate and spread to other docker hosts.

Spread from here is via C2-downloaded list of vulnerable IPs, and the interesting point is that it’s not a straight infection of all other accessible docker hosts in the same fashion – random hosts are picked to actually have the hosted malicious containers stopped. Simultaneously – crypto-jacking containers are started on other hosts. This random movement makes it harder to pinpoint compromised hosts – infection does not mean immediate crypto-jacking activity.

Considering the methods of prevention and containment (sorry again!) of this type of threat, the most important tenant is a holistic segmentation capability – treating containers as first-class citizens in terms of visualization of traffic flows to and from them; and granular segmentation capability that allows the same policy creation and enforcement on bare-metal servers, VMs, and containers.

The initial infection vector is something the Illumio platform can visualize and prevent/control. Subsequent inter(and intra)-container traffic is specifically manageable to prevent the worm aspect of this kind of malware being successful if there is the compromise of a container – or a malicious container started on the docker host, or even the docker host itself being compromised. The inherent zero-trust nature of the Illumio policy model avoids the danger presented by an arbitrarily-open network. Illumio's Adaptive Security Platform helps prevent the lateral spread.

For more detail on the specifics of how the Illumio Adaptive Security Platform secures containerized workloads – see our live segmentation demo for containerized workloads here.