XZ Utils backdoor: Detection tools, scripts, rules

2024-04-08 13:22

As the analysis of the backdoor in XZ Utils continues, several security companies have provided tools and advice on how to detect its presence on Linux systems.

The open-source XZ Utils compression utility has been backdoored by a skilled threat actor who tried to get the malicious packages included in mainstream Linux distributions, to allow them unfettered, covert SSH access to Linux systems around the world.

"The author intentionally obfuscated the backdoor in distribution tarballs, intended for Linux distributions to use for building their packages. When the xz build system is instructed to create an RPM or DEB for the x86-64 architecture using gcc and gnu linker, the backdoor is included in the liblzma as part of the build process. This backdoor is then shipped as part of the binary within the RPM or DEB," the Open Source Security Foundation succinctly explained.

That said, a number of scripts and tools have been released allowing users to check for the presence of the backdoor.

Binarly, a firmware security firm, has set up an online scanner that allows users to analyze any binary for the backdoor implant.

Elastic Security Labs researchers have published their analysis of the backdoor, as well as YARA signatures, detection rules, and osquery queries that Linux admins can use to find vulnerable liblzma libraries and identify potentially suspicious sshd behavior.

News URL

https://www.helpnetsecurity.com/2024/04/08/detect-xz-backdoor/

#backdoor #tools #XZ