Re: finding similar compromises (was Re: From xz to ibus: ...

[Hank Leininger <hlein () korelogic com>]

On 2024-04-02, Tavis Ormandy wrote:
> On 2024-04-02, Tavis Ormandy wrote:
> > On 2024-04-01, HW42 wrote:
> > > Hi Jan,
> > >
> > > great that you are looking for further problems. (Just to be clear,
> > > I'm not associated with ibus in any way.)
> >
> > Yes, agreed. In the interests of discussing things in the open after
> > just complaining about embargoes... :)

Along similar lines, I've been analyzing other packages to see if I can
find similar fragments to those used in the stage0, stage1, stage2
loaders from the xz-utils backdoor:

https://github.com/hlein/distro-backdoor-scanner

tl;dr: did some scans, more to come, nothing found yet; help add patterns.

I'll quote my own README here:

###

The toolkit used for the xz-utils backdoor is far too sophisticated to
be a first draft. Were there earlier iterations of this, that shared
some things in common but were slightly simpler, injected into other
projects? Can we detect the style/"fist" of the author elsewhere? Moreso
the delivery mechanics than the contents of the extracted+injected
malicious .so.

These scripts unpack the source packages for all of a distro repo's
current packages, then scan them for content similar to the malware that
was added to xz-utils.

Running over the unpacked source trees of ~19k Gentoo packages and ~40k
Debian packages gives a manageable amount of results (~hundreds of
hits), digestable by a human. So far the only confirmed malicious
results are... from the backdoored xz-utils versions.

There need to be more search patterns, among other things; see TODO.

###

Working on some submitted patches and adding Rocky Linux support ~today.

Thanks,

-- 

Hank Leininger <hlein () korelogic com>
8428 ED14 5268 C727 0C48  F454 846F 0637 5FEB 1612

Attachment: signature.asc
Description: Digital signature