The company Security firmware Binarly, released a free online scanner, him XZ scanner, to detect backdoors on Linux systems affected by the attack supply chain XZ Utils.
See also: The WallEscape bug in the Linux wall steals passwords
CVE-2024-3094 is a supply chain vulnerability in XZ Utils, a set of data compression tools and libraries used in many major Linux distributions.
Last month, Microsoft engineer, Andres Freud, discovered the backdoor in the latest version of the XZ Utils package while investigating the unusually slow SSH login in Debian Sid, an ever-evolving version of the Linux distribution.
The backdoor was introduced in XZ version 5.6.0 and remained in the version 5.6.1. However, only a few Linux distributions and versions that follow an advanced upgrade approach were affected."bleeding edge", with most using an older and more secure library version.
After the backdoor was identified, a detection and mitigation effort was launched, with CISA propose the degradation of the XZ Utils 5.4.6 Stable and to search for and report any malicious activity.
O XZ scanner
So far, the approach taken in threat reduction efforts has been based on simple checks, such as matching byte string, the exclusive prohibition of file fragmentation, and the YARA rules, which could lead to false positive detections.
See also: Magnet Goblin distributes Linux malware via 1-day flaws
This approach can cause significant alert fatigue and is not helpful in identifying similar backdoors in other projects.
To address this problem, Binarly developed a dedicated XZ scanner that works for the specific Linux library and any file that carries the backdoor itself.
Binarly's detection method uses static binary file analysis to identify modifications to the transitions of the GNU Indirect Function (IFUNC).
More specifically, XZ scanner checks transitions flagged as suspicious when applying harmful analysis IFUNC. The IFUNC feature of the GCC compiler allows the GCC compiler to developers create multiple versions of the same function selected at runtime based on various criteria, such as the type editor. The above attempt exploits this mechanism by modifying IFUNC calls to interfere or bind execution, resulting in the introduction of malicious code.
Binarly's XZ scanner, increases detection as it scans for various points in the supply chain beyond the XZ Utils project, with results being of higher confidence. The XZ scanner backdoor scanning tool, for Linux systems, is available at xz.fail, where users can upload their binaries for unlimited free testing.
Binarly has made available a free API for processing bulk scans for those who need it.
See also: ANY.RUN Sandbox: allows SOC and DFIR teams to analyze advanced Linux malware
Backdoors are methods that allow a user to bypass the normal authentication or security systems of a system. They can be installed either by the user for easier access, or by attackers to gain access to a system without being detected. To protect yourself from backdoors, it is important to regularly update the Software and the operating system, use strong and unique passwords and regularly check your system for signs of tampering. It is also important to be careful with the software you install, as backdoors can be embedded in software that appears legitimate.
Source: bleepingcomputer
