Malware Data Science: Attack Detection and Attribution
What happened?
The open-source XZ Utils compression utility has been backdoored by a skilled threat actor who tried to get the malicious packages included in mainstream Linux distributions, to allow them unfettered, covert SSH access to Linux systems around the world.
āThe author intentionally obfuscated the backdoor in distribution tarballs, intended for Linux distributions to use for building their packages. When the xz build system is instructed to create an RPM or DEB for the x86-64 architecture using gcc and gnu linker, the backdoor is included in the liblzma as part of the build process. This backdoor is then shipped as part of the binary within the RPM or DEB,ā the Open Source Security Foundation succinctly explained.
The backdoor was discovered by Andres Freund, a software engineer at Microsoft, and its existence wasĀ publicly revealedĀ a little over a week ago. Stable versions of a few Linux distrosĀ have been affectedĀ but widespread compromise has been avoided.
Threat researchers are still working onĀ analyzing the backdoorĀ and areĀ revealingĀ their findings daily.
It has become clear that is the work of a sophisticated threat actor who used many tricks to:
- Make the backdoor difficult to spot
- MakeĀ their propagation effortsĀ blend in within the normal open-source development process, and
- Become a trusted persona in the open-source ecosystem (they madeĀ commits on other projects, as well).
How to detect the XZ Utils backdoor?
Triggering/using the backdoor requires authentication via a private SSH key owned by the attacker, so exploitation ā if it ever happens ā will be limited. The fact that the vulnerable library versions havenāt ended up in many production systems is a huge blessing.
That said, a number of scripts and tools have been released allowing users to check for the presence of the backdoor.
Freundās post on the OSS mailing listĀ includesĀ a script to detect vulnerable SSH binaries on systems, which has then beenĀ repurposed and extendedĀ to also check whether a system uses a backdoored version of the liblzma library.
Binarly, a firmware security firm, has set up anĀ online scannerĀ that allows users to analyzeĀ any binaryĀ for the backdoor implant.
āSuch a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation. It could already be deployed elsewhere or partially reused in other operations. Thatās exactly why we started focusing on more generic detection for this complex backdoor,ā theyĀ noted.
Late last week, Bitdefender releasedĀ another scanner, that must be deployed on systems that need testing. (Since the scanner requires root privileges to be effective, the company has released the source code.)
It can search for all infected liblzma libraries, even if they are not used by the Secure Shell Daemon application (sshd), as well as for a unique byte sequence injected by the backdoor during library compilation.
Elastic Security Labs researchers haveĀ publishedĀ their analysis of the backdoor, as well as YARA signatures, detection rules, and osquery queries that Linux admins can use to find vulnerable liblzma libraries and identify potentially suspicious sshd behavior.
Malware Data Science: Attack Detection and Attribution
InfoSec servicesĀ |Ā InfoSec booksĀ |Ā Follow our blogĀ |Ā DISC llc is listed on The vCISO DirectoryĀ |Ā ISO 27k Chat bot
