Malware in Docker for Mac?

I kept on receiving some notifications from my internet provider a couple of weeks ago but dismissed them as not correct until I realised that my connection wasn’t getting accepted by my provider for some reasons.
I decided to completely reinstall my MacOS and the connection was working fine until I installed Docker for Mac (the lastet Version from the Docker Store) and started it. Mind you, I had only installed Docker, Firefox and Unibox at the moment, so the Mac was “clean”.
A couple of minutes after that, I received a mail from the firewall that stated that a connection was made from the port 50896 and it was trying to connect to a Russian URL (see screenshot: http://imgur.com/a/9NJPV).
I found it strange and checked to see what was using this port and I found out it was the vpnkit from Docker (see screenshot: http://imgur.com/a/9NJPV).
Is there a malware in the last version of the Docker for Mac?

Could you upload diagnostics (from the Whale menu: Diagnose and Feedback… -> Diagnose & Upload) and quote the diagnostics id here?

All outgoing network traffic from Docker for Mac goes via the “vpnkit” process. With no containers running the only expected outgoing UDP is NTP. To temporarily disable this for debugging, try

On the host, get a a root shell in the VM:

$ docker run --rm --net=host --pid=host --privileged -it justincormack/nsenter1 /bin/sh

Inside the VM shell, kill the “chronyd” process:

/ # killall chronyd

Next, on the host, find the pid of the “vpnkit” process using a command like:

$ cat ~/Library/Containers/com.docker.docker/Data/tasks/com.docker.vpnkit  | jq .Pid
8185

Next, on the host, list the open UDP ports on “vpnkit”:

$ lsof -p 8185 -P | grep UDP

On my system I’m running

Version 17.06.0-ce-mac19 (18663)
Channel: stable
c98c1c25e0

I killed “chronyd” and waited a few minutes and then all my UDP ports went away. For reference my “vpnkit” binary has hash:

$ sha1sum /Applications/Docker.app/Contents/Resources/bin/vpnkit 
66803b539be79bde693fe28d86e3a076a53243d0  /Applications/Docker.app/Contents/Resources/bin/vpnkit

Let me know what you observe.

Got a likewise warning from LittleSnitch today, from IP address 51.255.138.215.

A reverse DNS lookups reveals that the hostname ntp.cybertu.be is linked to it. Although the hostname can be totally fake, it makes me point into the direction of NTP.

LittleSnitch caught “Incoming connections via vpnkit from 13.74.149.188” for me:

# alex in ~ [22:12:09]
→ whois 13.74.149.188
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.arin.net

inetnum:      13.0.0.0 - 13.255.255.255
organisation: Administered by ARIN
status:       LEGACY

whois:        whois.arin.net

changed:      1991-09
source:       IANA


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n + 13.74.149.188"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# https://whois.arin.net/rest/nets;q=13.74.149.188?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#

NetRange:       13.64.0.0 - 13.107.255.255
CIDR:           13.64.0.0/11, 13.96.0.0/13, 13.104.0.0/14
NetName:        MSFT
NetHandle:      NET-13-64-0-0-1
Parent:         NET13 (NET-13-0-0-0-0)
NetType:        Direct Assignment
OriginAS:
Organization:   Microsoft Corporation (MSFT)
RegDate:        2015-03-26
Updated:        2015-03-26
Ref:            https://whois.arin.net/rest/net/NET-13-64-0-0-1



OrgName:        Microsoft Corporation
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-09
Updated:        2017-01-28
Comment:        To report suspected security issues specific to traffic emanating from Microsoft online services, including the distribution of malicious content or other illicit or illegal material through a Microsoft online service, please submit reports to:
Comment:        * https://cert.microsoft.com.
Comment:
Comment:        For SPAM and other abuse issues, such as Microsoft Accounts, please contact:
Comment:        * abuse@microsoft.com.
Comment:
Comment:        To report security vulnerabilities in Microsoft products and services, please contact:
Comment:        * secure@microsoft.com.
Comment:
Comment:        For legal and law enforcement-related requests, please contact:
Comment:        * msndcc@microsoft.com
Comment:
Comment:        For routing, peering or DNS issues, please
Comment:        contact:
Comment:        * IOC@microsoft.com
Ref:            https://whois.arin.net/rest/org/MSFT


OrgAbuseHandle: MAC74-ARIN
OrgAbuseName:   Microsoft Abuse Contact
OrgAbusePhone:  +1-425-882-8080
OrgAbuseEmail:  abuse@microsoft.com
OrgAbuseRef:    https://whois.arin.net/rest/poc/MAC74-ARIN

OrgTechHandle: MRPD-ARIN
OrgTechName:   Microsoft Routing, Peering, and DNS
OrgTechPhone:  +1-425-882-8080
OrgTechEmail:  IOC@microsoft.com
OrgTechRef:    https://whois.arin.net/rest/poc/MRPD-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/public/whoisinaccuracy/index.xhtml
#


# alex in ~ [22:13:10]
→ dig -x 13.74.149.188

; <<>> DiG 9.9.7-P3 <<>> -x 13.74.149.188
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45826
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;188.149.74.13.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
149.74.13.in-addr.arpa.	600	IN	SOA	prd1.azuredns-cloud.net. msnhst.microsoft.com. 9 900 300 604800 3600

;; Query time: 20 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sat Mar 24 22:17:11 GMT 2018
;; MSG SIZE  rcvd: 134

I’m seeing something similar. According to Little Snitch the application /Applications/Docker.app/Contents/MacOS/com.docker.supervisor via /Applications/Docker.app/Contents/Resources/bin/vpnkit has 194 (!) incoming connections from all over the world. I would have expected Docker to have connections to Docker Hub, and from any started containers to whatever nodes they communicate with (I have no containers started at all when this is reported). Nothing in the Docker for Mac documentation or the settings for the app itself hints at it running a hidden VPN connected all over the world…

What is this actually doing?

1 Like

There was an issue where the ntp server was incorrectly configured to use the public ntp pool see https://github.com/docker/for-mac/issues/2529 - this should be fixed now in 18.03. If you are seeing this issue please can you confirm which version you are using.

Also, if you are on the current version, please can you open a new issue on https://github.com/docker/for-mac with a diagnostic id as the forum is not a good place for issue tracking.

With version 18.03.0-ce-mac59 (23608) I still see 19 connections to all over the world. Is this expected?

Please can you open an issue as above with a diagnostic ID.

Reported here: https://github.com/docker/for-mac/issues/2786