I’m not in the cybersecurity field, I’m just curious about how these miners are hidden in the Docker images that we pull from Dockerhub.
My initial guess was that some of the binaries in the image are tampered with to hide the processes being executed, for example tampering “ps” or “ls”. But this seemed like a pointless approach because the user could install other tools that would reveal the processes.
I don’t want to list my whole noob thought process here because you can already see how naïve it is…
So:
-
How are they stored in the images?
-
How are they executed (run alongside the app process)?
-
How do they hide from detection?
-
How can they be detected (tools)?
-
Can we trust official docker images, or should all docker images be created in-house from scratch?
I know the question is too broad, I don’t want an in-depth explanation, a basic example for a specific scenario is good enough.
If you have an article explaining these things, just pass it, no need to waste time.
Thanks 🙂