SANS Digital Forensics and Incident Response Blog

Running Malware Analysis Apps as Docker Containers

A new REMnux project initiative provides Docker images of Linux applications useful for malware analysis, with the goal of making it easier for investigators start using malware forensics tools that otherwise might be awkward to set up. Docker is a platform for packaging, running and managing applications as "containers," offering a lightweight alternative to full-fledged virtualization. The following application images are available as of this writing, as a starting point for the effort:

  • V8 JavaScript engine for JavaScript deobfuscation: remnux/v8
  • Thug low-interaction honeyclient: remnux/thug
  • Viper binary analysis and management framework: remnux/viper
  • Rekall memory forensic framework: remnux/rekall
  • JSDetox JavaScript analysis tool for deobfuscation: remnux/jsdetox
  • Radare2 reverse-engineering framework: remnux/radare2

Docker takes advantage of a Linux kernel's ability to run applications in containers, which are sometimes described as "chroot on steroids." This approach provides each app an independent runtime environment, while avoiding the overhead of a full virtual machine. An application distributed as a Docker image incorporates all the dependencies and configuration necessary for it to run, eliminating the need for end-users to install packages and troubleshoot dependencies

To run an application distributed as a Docker image, first you need to install Docker. After that, you can use the "docker run" command to launch the desired application. Docker will automatically find the app in its public registry and download it if you don't already have it cached locally. There are some nuances to launching such apps to ensure that you can share files and network connections with the container; if you're new to Docker, the best way to get started is to read the article on Running REMnux-Provided Images.

If you've been looking for an excuse to experiment with Docker, here's your chance. You can not only run the malware analysis apps that have already been Dockerized, you can also build your images of your favorite applications and suggest them for inclusion in the REMnux project. For more details on how to contribute, see Creating Docker Images for REMnux.

Note that when running malware analysis applications in containers, I am not placing a lot of trust in the isolation that Docker implements for the apps. Instead, I am using Docker primarily as a tool for conveniently packaging, distributing and running tools that otherwise might be difficult or awkward to set up. To better understand information security implications of this technology in a production environment, see Security Risks and Benefits of Docker Application Containers.

To learn more about this topic, tune into the webcast How to Run Linux Malware Analysis Apps as Docker Containers.

Lenny Zeltser

Lenny Zeltser teaches malware analysis at SANS Institute and focuses on safeguarding customers' IT operations at NCR Corp. He is active on Twitter and writes a security blog.

2 Comments

Posted December 11, 2014 at 11:11 AM | Permalink | Reply

xvilka

What about radare2 tool? It is also very useful and has a docker file too https://github.com/radare/radare2/blob/master/doc/Dockerfile
You can find some of asciicasts on http://radare.tv to feel how it works.

Posted December 29, 2014 at 5:04 PM | Permalink | Reply

Lenny Zeltser

xvilka: The REMnux collection of Docker images now includes a Radare2 image as well.