Graboid
Graboid is a worm that compromises the containers of Docker cloud storage users for conducting its attacks. Current versions of Graboid use these resources for mining cryptocurrency and will stop and start the activity randomly, based on the commands from other installations of itself. Users should maintain security practices appropriate for blocking unwanted access to their Docker containers and use anti-malware services as it's suitable for deleting Graboid infections.
The Worm that's Traveling through Virtual Shipping Cargo
For profit-based threat actors, worms and cryptocurrency go together like peanut butter and jelly – although most programs with such attacks will offload the mining routine to another application, such as the conveniently-lightweight XMRig. A new worm is taking a playful approach to how it mines: it includes an element of randomization in its attacks. Through the unintentional help of Docker's software storage, Graboid is starting and stopping its mining arbitrarily.
Unlike most worms that malware experts see, Graboid specializes in infecting users of the Docker service, instead of spreading less discriminately through USBs or local networks. It searches for non-secure Docker daemons (background processes that manage the containers) and infects them. However, instead of loading the mining feature automatically, it waits until it receives a command from another copy of itself. Simultaneously, the second version of Graboid also sends out commands for stopping another host's mining activity and infecting a third victim.
Because the installation routine includes all three commands, the behavior of Graboid's overall 'botnet' is much more random and prone to usage spikes and drops than those of most cryptocurrency-miner Trojans. Malware experts can only guess that the feature is for preventing undue suspicion from users over performance problems. Graboid also, like similar threats, includes precautions for shutting down the competition, such as an unrelated XMRig installation.
Sending Worms Fleeing Back to the Underground
Graboid, which gets its moniker from the famous Kevin Bacon 'Tremors' movie, is the first of its kind, in some ways. While cryptocurrency-mining Trojans are prolific in 2019, the exploitation of Docker's storage service is atypical. Furthermore, malware researchers can recall no other examples of the unique randomization element of Graboid's network of 'zombie' computers, which hampers the Monero-mining efficiency and, therefore, profits directly.
Users with default Docker settings should be at little to no risk from Graboid attacks. By default, Docker's daemons aren't internet-exposed, and Graboid has no means of accessing them. Users who do make Docker containers available online should secure them as per Dock Inc's recommendations. Firewall policies also can guard against unwanted network intrusions, and some users may identify corrupted containers manually. What Graboid gains in exchange for sacrificing money-making efficiency is an unknown factor, but its innovations in other areas are readily-visible. Software maintenance platforms like Docker are just tools, and like any tool, they can twist towards illegal purposes, if one doesn't store them securely.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.