XZ Utils backdoor: Detection tools, scripts, rules
As the analysis of the backdoor in XZ Utils continues, several security companies have provided tools and advice on how to detect its presence on Linux systems.
What happened?
The open-source XZ Utils compression utility has been backdoored by a skilled threat actor who tried to get the malicious packages included in mainstream Linux distributions, to allow them unfettered, covert SSH access to Linux systems around the world.
“The author intentionally obfuscated the backdoor in distribution tarballs, intended for Linux distributions to use for building their packages. When the xz build system is instructed to create an RPM or DEB for the x86-64 architecture using gcc and gnu linker, the backdoor is included in the liblzma as part of the build process. This backdoor is then shipped as part of the binary within the RPM or DEB,” the Open Source Security Foundation succinctly explained.
The backdoor was discovered by Andres Freund, a software engineer at Microsoft, and its existence was publicly revealed a little over a week ago. Stable versions of a few Linux distros have been affected but widespread compromise has been avoided.
Threat researchers are still working on analyzing the backdoor and are revealing their findings daily.
It has become clear that is the work of a sophisticated threat actor who used many tricks to:
- Make the backdoor difficult to spot
- Make their propagation efforts blend in within the normal open-source development process, and
- Become a trusted persona in the open-source ecosystem (they made commits on other projects, as well).
How to detect the XZ Utils backdoor?
Triggering/using the backdoor requires authentication via a private SSH key owned by the attacker, so exploitation – if it ever happens – will be limited. The fact that the vulnerable library versions haven’t ended up in many production systems is a huge blessing.
That said, a number of scripts and tools have been released allowing users to check for the presence of the backdoor.
Freund’s post on the OSS mailing list includes a script to detect vulnerable SSH binaries on systems, which has then been repurposed and extended to also check whether a system uses a backdoored version of the liblzma library.
Binarly, a firmware security firm, has set up an online scanner that allows users to analyze any binary for the backdoor implant.
“Such a complex and professionally designed comprehensive implantation framework is not developed for a one-shot operation. It could already be deployed elsewhere or partially reused in other operations. That’s exactly why we started focusing on more generic detection for this complex backdoor,” they noted.
Late last week, Bitdefender released another scanner, that must be deployed on systems that need testing. (Since the scanner requires root privileges to be effective, the company has released the source code.)
It can search for all infected liblzma libraries, even if they are not used by the Secure Shell Daemon application (sshd), as well as for a unique byte sequence injected by the backdoor during library compilation.
Elastic Security Labs researchers have published their analysis of the backdoor, as well as YARA signatures, detection rules, and osquery queries that Linux admins can use to find vulnerable liblzma libraries and identify potentially suspicious sshd behavior.