A new XZ backdoor scanner will be able to protect any Linux binary from threats
IT teams concerned about the XZ Utils supply chain attack can breathe a little easier after Binarly released a free online scanner to ease concerns.
Cybersecurity researchers investigating slow SSH logins on Debian Sid recently discovered a backdoor in the latest version of XZ Utils, a set of data compression tools and libraries used by major Linux distributions.
The backdoor exploited a vulnerability tracked as CVE-2024-3094 and was introduced by a pseudonymous attacker in XZ version 5.6.0, and persisted into 5.6.1. Shortly after the discovery, the cybersecurity community came together to address the issue, with CISA proposing to downgrade the tool to 5.4.6. Stable, and then look for and report malicious activity.
Better results
Other security teams started using byte string matching, file hash blocking, and various YARA rules, none of which were exceptionally effective. Some even led to false positives, which only exacerbated the problem.
Enter Binarly, which has a special scanner that works for the specific library and for each file with the same backdoor.
“Such a complex and professionally designed comprehensive implant framework was not developed for a one-time operation. It could already be deployed elsewhere or partially reused in other operations. That is precisely why we started focusing on more generic detection for this complex backdoor,” says Binarly. said in his announcement.
Compared to previous methods, this scanner delivers better results, it was said, because it scans for different supply chain points beyond just the XZ Utils project.
“This detection is based on behavioral analysis and can automatically detect any variants if a similar backdoor is implanted elsewhere,” Binarly’s chief security researcher and CEO, Alex Matrosov, told BleepingComputer. “Even after recompilation or code changes we will detect it,” Matrosov added.
The scanner can be found at xz.fail.