New XZ backdoor scanner detects implant in any Linux binary

New XZ backdoor scanner detects implant in any Linux binary

April 2, 2024 at 10:38AM

Binarly, a firmware security firm, has released a free online scanner to detect Linux executables affected by the XZ Utils supply chain attack, identified as CVE-2024-3094. The attack was discovered by a Microsoft engineer and the scanner aims to address this issue. It employs static analysis of binaries to identify malicious code implementations and is available at xz.fail.

The key takeaways from the meeting notes are:

– Binarly has released a free online scanner to detect Linux executables impacted by the XZ Utils supply chain attack, tracked as CVE-2024-3094.
– CVE-2024-3094 is a supply chain compromise in XZ Utils, a set of data compression tools and libraries used in many major Linux distributions.
– The backdoor in the latest version of the XZ Utils package was discovered by Microsoft engineer Andres Freud.
– The backdoor was introduced by a pseudonymous contributor to XZ version 5.6.0, present in 5.6.1, impacting only a few Linux distributions using a “bleeding edge” upgrading approach.
– CISA proposed downgrading the XZ Utils 5.4.6 Stable and hunting for and reporting any malicious activity.
– Binarly developed a dedicated scanner that uses static analysis of binaries to identify tampering of transitions in GNU Indirect Function (IFUNC).
– The scanner examines transitions marked as suspicious during the implantation of malicious IFUNC resolvers, increasing detection as it scans for various supply chain points beyond just the XZ Utils project.
– The backdoor scanner developed by Binarly is available online at xz.fail for unlimited free checks.

Let me know if you need more information or if there is anything else I can assist you with.

Full Article