|
Message-ID: <20240402121050.552d3d82-1bc9-4d55-8d92-91b935e0e308@korelogic.com>
Date: Tue, 2 Apr 2024 12:27:18 -0600
From: Hank Leininger <hlein@...elogic.com>
To: oss-security@...ts.openwall.com
Subject: Re: finding similar compromises (was Re: From xz to ibus: ...
On 2024-04-02, Tavis Ormandy wrote:
> On 2024-04-02, Tavis Ormandy wrote:
> > On 2024-04-01, HW42 wrote:
> >> Hi Jan,
> >>
> >> great that you are looking for further problems. (Just to be clear,
> >> I'm not associated with ibus in any way.)
> >
> > Yes, agreed. In the interests of discussing things in the open after
> > just complaining about embargoes... :)
Along similar lines, I've been analyzing other packages to see if I can
find similar fragments to those used in the stage0, stage1, stage2
loaders from the xz-utils backdoor:
https://github.com/hlein/distro-backdoor-scanner
tl;dr: did some scans, more to come, nothing found yet; help add patterns.
I'll quote my own README here:
###
The toolkit used for the xz-utils backdoor is far too sophisticated to
be a first draft. Were there earlier iterations of this, that shared
some things in common but were slightly simpler, injected into other
projects? Can we detect the style/"fist" of the author elsewhere? Moreso
the delivery mechanics than the contents of the extracted+injected
malicious .so.
These scripts unpack the source packages for all of a distro repo's
current packages, then scan them for content similar to the malware that
was added to xz-utils.
Running over the unpacked source trees of ~19k Gentoo packages and ~40k
Debian packages gives a manageable amount of results (~hundreds of
hits), digestable by a human. So far the only confirmed malicious
results are... from the backdoored xz-utils versions.
There need to be more search patterns, among other things; see TODO.
###
Working on some submitted patches and adding Rocky Linux support ~today.
Thanks,
--
Hank Leininger <hlein@...elogic.com>
8428 ED14 5268 C727 0C48 F454 846F 0637 5FEB 1612
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.