User Controls

Navigation

Niggas in Space > Technophiliacs & Technophiles > Linux upstream dependency malware

Linux upstream dependency malware

  1. 2024-04-03 at 7:52 PM UTC
    #1
    Donald Trump Black Hole
    Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux
    distributions, and where they have, mostly in pre-release versions.


    == Observing Impact on openssh server ==

    With the backdoored liblzma installed, logins via ssh become a lot slower.

    time ssh nonexistant@…alhost

    before:
    nonexistant@…alhost: Permission denied (publickey).

    before:
    real 0m0.299s
    user 0m0.202s
    sys 0m0.006s

    after:
    nonexistant@…alhost: Permission denied (publickey).

    real 0m0.807s
    user 0m0.202s
    sys 0m0.006s


    openssh does not directly use liblzma. However debian and several other
    distributions patch openssh to support systemd notification, and libsystemd
    does depend on lzma.


    Initially starting sshd outside of systemd did not show the slowdown, despite
    the backdoor briefly getting invoked. This appears to be part of some
    countermeasures to make analysis harder.
    https://www.openwall.com/lists/oss-security/2024/03/29/4

    Thank you. None of these patches are urgent. I'm on a holiday and only
    happened to look at my emails and it seems to be a major mess.

    My proper investigation efforts likely start in the first days of
    April. That is, I currently know only a few facts which alone are bad
    enough.

    Info will be updated here: https://tukaani.org/xz-backdoor/
    https://lkml.org/lkml/2024/3/30/188
    The maintainer of the repo, Lasse Collin, sweede, is on holidays.

    Not much seems to be known about the person who committed the malicious code, Jia Tan.


    It may be a cute asian girl. All the images when you search for Jia Tan are cute asian girls.

    Girls commit to open source ... r-right?
  2. 2024-04-03 at 11:48 PM UTC
    #2
    ner vegas African Astronaut
    lol yeah, people who commit malware always do it using their own name and account

    interesting they added a patch to the makefiles rather than straight up updating the code, seems way more suspicious and like they observed memory locations are going to be different depending on environment, platform etc
    The following users say it would be alright if the author of this post didn't die in a fire!
  3. 2024-04-07 at 5:42 PM UTC
    #3
    Mighest Houston
    I like Asian girls.

    That's all I have for now.
  4. 2024-04-07 at 5:50 PM UTC
    #4
    Mighest Houston
    Reading up on this, I realize this was actually a very big close call.

    This may have even been a government entity.
  5. 2024-05-01 at 9:24 PM UTC
    #5
    greyok Yung Blood
    This got me paranoid when i went to update linux mint and its name was virginia. I updated to victoria only
  6. 2024-05-01 at 9:42 PM UTC
    #6
    Donald Trump Black Hole
    Originally posted by ner vegas interesting they added a patch to the makefiles rather than straight up updating the code

    That was to get the binaries into the compilation process. They hid the binaries as if they were test binaries, due to it being a cryptographic library it would have been sort of normal enough to use a binary file (which would have been a known encrypted file) as a test file. And makefiles are mess that make no sense to me, so no one read it and since everyone hates test anyway it got overlooked. It was only caught when someone noticed SSH login was slower on infected machines.
    The following users say it would be alright if the author of this post didn't die in a fire!
  7. 2024-05-11 at 8:44 AM UTC
    #7
    CodeNiggHardR Houston
    Originally posted by Donald Trump That was to get the binaries into the compilation process. They hid the binaries as if they were test binaries, due to it being a cryptographic library it would have been sort of normal enough to use a binary file (which would have been a known encrypted file) as a test file. And makefiles are mess that make no sense to me, so no one read it and since everyone hates test anyway it got overlooked. It was only caught when someone noticed SSH login was slower on infected machines.

    yikes man
  8. 2024-05-11 at 1:54 PM UTC
    #8
    Cowboy2013 African Astronaut
    So what does all this mean in laymans terms?
  9. 2024-05-11 at 2:08 PM UTC
    #9
    ner vegas African Astronaut
    Originally posted by Cowboy2013 So what does all this mean in laymans terms?

    someone added malware to a dependency for openssh, which is more or less the standard for secure remote access on lunix servers/machines

    people caught on before it became a widespread problem, and the way that the code was added made it very unreliable so it was rolled back before it did any real damage
    The following users say it would be alright if the author of this post didn't die in a fire!
  10. 2024-05-11 at 10:55 PM UTC
    #10
    Donald Trump Black Hole
    The person with the key corresponding to the one that was inserted could have logged into any of the infected serbians.

    It was only caught as the key check slowed down ssh login noticeably.
  11. 2024-05-11 at 11:51 PM UTC
    #11
    Mighest Houston
    There was actually a nice sneaky social engineering part as well. "People" were pushing for the culprit to be in change. They actually fell for it and he/she immediately changed important shit.
  12. 2024-05-11 at 11:58 PM UTC
    #12
    ner vegas African Astronaut
    Originally posted by Donald Trump The person with the key corresponding to the one that was inserted could have logged into any of the infected serbians.

    It was only caught as the key check slowed down ssh login noticeably.

    the reason why it was running so slowly on those machines is because the patch failed and bricked lzma, not sure what the success ratio is but an in-memory patch like that is only really done on a consistent target platform
    The following users say it would be alright if the author of this post didn't die in a fire!
Jump to Top