Finding malicious behavior in cloud instances is no easy task, especially given the instability and overhead issues that agent-based malware scanners can cause. A pair of security researchers have written a new open-source tool that’s designed to address those problems by taking a snapshot of an AWS instance and then scanning that for malware rather than doing scanning in the production environment.
The tool, called Patrolaroid, is designed to scan both EC2 instances and S3 buckets for malware, cryptominers, backdoors, and other malicious code, and it’s the work of Kelly Shortridge and Ryan Petrich. The pair wanted to create a tool that didn’t require an agent and wouldn’t cause any static with users’ AWS production workloads. So rather than using the existing approach of installing an agent just in time, running it, and then deleting it after the scan is finished, Patrolaroid takes a snapshot of each instance, scans it against a set of YARA rules and then deletes the snapshot volumes afterward.
“It is a little weird that the cloud providers themselves don’t provide something like this. There are a bunch of tools that make bold claims about finding scary 0-days or malware in the cloud, but for the most part, those traditional approaches aren’t going to be OK running in production,” Shortridge said.
"We felt it’s important to have a no-brainer tool that won’t crash prod or steal cycles from prod.”
Patrolaroid simply requires access to an AWS instance that it on the same account as whichever instances or S3 buckets the user wants to scan. Because the tool takes a snapshot and scans that, rather than the instance or bucket as it’s running, there’s no danger of it causing stability problems or robbing the server of any cycles.
"There are more ways to access data on an instance than just by being on it. I’ve always figured that if you’re going to do anything dangerous, take a snapshot in case anything goes wrong,” said Petrich.
"If you could just not put the agent alongside the thing that it could damage, then it could fall on its face and it wouldn’t matter.”
Patrolaroid comes with a basic set of YARA rules that will identify some known malware, webshells, cryptominers, and backdoors, but Shortridge said users could add their own, as well.
“The rules we wrote are for something that’s very wrong and shouldn’t be happening. Even if you’re a total newbie, you can run this anyway. It’s not complicated,” Shortridge said.
“Given that malware scanning is such a part of compliance efforts we felt it’s important to have a no-brainer tool that won’t crash prod or steal cycles from prod.”
Patrolaroid is free and open source.