Detecting the xz-utils Backdoor with Automation
In this ObjectSecurity blog post, we discuss how automated binary vulnerability analysis helps detect advanced attacks such as the recently discovered “xz-utils backdoor”, which was committed on March 25, 2024 to a ubiquitous library in the Linux ecosystem, via the xz-utils GitHub repository that has since been removed from the site by Github and Microsoft. This malware was disguised as a binary file meant to act as input for an automated test that runs along with new public build versions of the xz-utils library. Had this exploit not been detected by Andres Freund, a developer at Microsoft, countless Linux/Unix systems would have become vulnerable to what is suspected to be a nation state attack.
On March 25th, 2024, this intentional backdoor was committed to a ubiquitous library in the Linux ecosystem, via the xz-utils GitHub repository that has since been removed from the site by Github and Microsoft. This malware was disguised as a binary file meant to act as input for an automated test that runs along with new public build versions of the xz-utils library.
Only after a multi-stage parsing process is completed, does the backdoor become injected into release versions of xz-utils. The payload injected at the end of this process results in a malicious shared object (.SO) file in versions 5.6.0 and 5.6.1 of the liblzma dependency of xz-utils.
:focal(1800x1210:0x0)/cloudfront-us-east-2.images.arcpublishing.com/reuters/MYYE4IDMZVLXVLDZRNOVBQGCAU.jpg)
