Graboid

Posted: October 17, 2019

Graboid Description

Graboid is a worm that compromises the containers of Docker cloud storage users for conducting its attacks. Current versions of Graboid use these resources for mining cryptocurrency and will stop and start the activity randomly, based on the commands from other installations of itself. Users should maintain security practices appropriate for blocking unwanted access to their Docker containers and use anti-malware services as it's suitable for deleting Graboid infections.

The Worm that's Traveling through Virtual Shipping Cargo

For profit-based threat actors, worms and cryptocurrency go together like peanut butter and jelly – although most programs with such attacks will offload the mining routine to another application, such as the conveniently-lightweight XMRig. A new worm is taking a playful approach to how it mines: it includes an element of randomization in its attacks. Through the unintentional help of Docker's software storage, Graboid is starting and stopping its mining arbitrarily.

Unlike most worms that malware experts see, Graboid specializes in infecting users of the Docker service, instead of spreading less discriminately through USBs or local networks. It searches for non-secure Docker daemons (background processes that manage the containers) and infects them. However, instead of loading the mining feature automatically, it waits until it receives a command from another copy of itself. Simultaneously, the second version of Graboid also sends out commands for stopping another host's mining activity and infecting a third victim.

Because the installation routine includes all three commands, the behavior of Graboid's overall 'botnet' is much more random and prone to usage spikes and drops than those of most cryptocurrency-miner Trojans. Malware experts can only guess that the feature is for preventing undue suspicion from users over performance problems. Graboid also, like similar threats, includes precautions for shutting down the competition, such as an unrelated XMRig installation.

Sending Worms Fleeing Back to the Underground

Graboid, which gets its moniker from the famous Kevin Bacon 'Tremors' movie, is the first of its kind, in some ways. While cryptocurrency-mining Trojans are prolific in 2019, the exploitation of Docker's storage service is atypical. Furthermore, malware researchers can recall no other examples of the unique randomization element of Graboid's network of 'zombie' computers, which hampers the Monero-mining efficiency and, therefore, profits directly.

Users with default Docker settings should be at little to no risk from Graboid attacks. By default, Docker's daemons aren't internet-exposed, and Graboid has no means of accessing them. Users who do make Docker containers available online should secure them as per Dock Inc's recommendations. Firewall policies also can guard against unwanted network intrusions, and some users may identify corrupted containers manually. What Graboid gains in exchange for sacrificing money-making efficiency is an unknown factor, but its innovations in other areas are readily-visible. Software maintenance platforms like Docker are just tools, and like any tool, they can twist towards illegal purposes, if one doesn't store them securely.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Graboid may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Graboid may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.