Defend Zero Day Attacks

Garner holistic visibility across development and deployment life cycle. Mitigate risks proactively to foil attacks with our most advanced and sophisticated CNAPP product.

Open Source

AccuKnox is the first 5G Security-ORAN to be published on Nephio

From fortifying the control plane to addressing vulnerabilities in the data plane, read the white paper and discover the crucial steps we need to take in order to enhance the security of 5G networks.

Cloud Native Security Redefined

Accelerate your cloud journey with our battle-tested expertise, delivering a comprehensive zero trust framework that safeguards cloud infrastructure and applications from targeted attacks.

Open Source

KubeArmor is now certified Redhat Openshift Operator

Embracing the Power of Open Source: We are proud to contribute to the open-source community, allowing businesses to leverage the strength of KubeArmor to safeguard their containerized environments.

Is your system protected against Chaos Malware?

by | Feb 2, 2022

Reading Time: 3 minutes


In this blog, we will see how to defend against Chaos malware using Accuknox’s Open-source tools. This blog is very specific to protecting against K8s workloads. Non K8s workload support is coming soon on Accuknox. Presented at Gosec 2017 in Montreal, Chaos malware origin could be traced to a rootkit called “sebd” active in 2013. This malware can create a fully encrypted and integrated SSH reverse shell on the victim’s device.

Malware functionality

To stay hidden, the attacker first disables the logging history. Then the attacker checks the SSHD binary and the existence of certain files such as /usr/include/gpm2.h. This attacker can make sure it is not infected with any other malware. The files that the attacker checked are commonly known to be used by patched SSHDs to log stolen SSH credentials. That’s why this check has been performed in the first place.

This malware consists of:

  1. Chaos Server – ELF Binary
  2. Chaos Client – ELF Binary
  3. initrunlevels – Shell script
  4. Install – Shell script

Let’s understand how this works. The install script is copying the initrunlevels script to /etc/init.d to ensure that the file is executed at each boot of the system. The initrunlevels script opens port 8338 and checks if certain files exist. If they do not exist, the script copies hidden files to the checked paths. Next, the script copies the Client into /usr/include/cli.h and Chaos into /usr/include/stabd.h and /usr/sbin/smdb. This is done in order to create backups for both Client and Chaos on the system. The attacker also dropped and executed additional files to make the system part of an IRC botnet, but we investigated the backdoor only within the scope of this post.

Virustotal reference:

Chaos Server:

Chaos Client:

Accuknox Run-time security tools and how we can protect against threats like Chaos

Accuknox open-source tools protect against unknown and malicious behavior at run-time.

malware such as chaos at run-time. A run-time security tool provides active protection for your workloads while they’re running. The idea is to detect and prevent malicious activity from occurring after the workloads have been initialized and are running.

Accuknox open-source tools consist of a) auto policy discovery b) KubeArmor and c) Cilium.

There are many ways to block Chaos and other kinds of malware. One would be to auto-discover a safe profile of the workload and only allow that through auto-discovery.

Blocking Chaos specific actions

For the purpose of this blog, we will focus on understanding the Chaos malware signature and trying to block those specific actions. With the information we gathered about Chaos, we can create a KubeArmor policy as follows to block Chaos malware

Chaos malware

The given Kubearmor policy will defend against file-related actions in chaos malware. In this case, the policy is applied to the workload by using the kubectl command

kubectl -f apply <policyfile name.yaml> #to apply the policy

This malware also opens port 8338 to run initrunlevels script.

Let’s use a Cilium network policy to block that port from opening.

Cilium network policy

Here in this policy, we are only allowing “53” ports to open and all other ports are closed in the pod. So when initrunlevels runs, it will not be able to open any unwanted ports.


In this malware, we have seen how to defend against Chaos malware using KubeArmor & Cilium. This malware uses various techniques such as Reverse shells to attack infected machines. So KubeArmor can protect files, systems, networks, and Cilium is like a network firewall for containers. We used both programs to prevent this attack.


Please enable JavaScript in your browser to complete this form.
We protect your organization against current and emerging threats with Zero Trust Cloud Security Solutions