Linux upstream dependency malware

1. 2024-04-03 at 7:52 PM UTC

   #1
   The Self Taught Man Black Hole

   Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by linux
   distributions, and where they have, mostly in pre-release versions.
   
   
   == Observing Impact on openssh server ==
   
   With the backdoored liblzma installed, logins via ssh become a lot slower.
   
   time ssh nonexistant@…alhost
   
   before:
   nonexistant@…alhost: Permission denied (publickey).
   
   before:
   real 0m0.299s
   user 0m0.202s
   sys 0m0.006s
   
   after:
   nonexistant@…alhost: Permission denied (publickey).
   
   real 0m0.807s
   user 0m0.202s
   sys 0m0.006s
   
   
   openssh does not directly use liblzma. However debian and several other
   distributions patch openssh to support systemd notification, and libsystemd
   does depend on lzma.
   
   
   Initially starting sshd outside of systemd did not show the slowdown, despite
   the backdoor briefly getting invoked. This appears to be part of some
   countermeasures to make analysis harder.

   https://www.openwall.com/lists/oss-security/2024/03/29/4
   
   

   Thank you. None of these patches are urgent. I'm on a holiday and only
   happened to look at my emails and it seems to be a major mess.
   
   My proper investigation efforts likely start in the first days of
   April. That is, I currently know only a few facts which alone are bad
   enough.
   
   Info will be updated here: https://tukaani.org/xz-backdoor/

   https://lkml.org/lkml/2024/3/30/188
   The maintainer of the repo, Lasse Collin, sweede, is on holidays.
   
   Not much seems to be known about the person who committed the malicious code, Jia Tan.
   
   
   It may be a cute asian girl. All the images when you search for Jia Tan are cute asian girls.
   
   Girls commit to open source ... r-right?
2. 2024-04-03 at 11:48 PM UTC

   #2
   

   ner vegas African Astronaut
   lol yeah, people who commit malware always do it using their own name and account
   
   interesting they added a patch to the makefiles rather than straight up updating the code, seems way more suspicious and like they observed memory locations are going to be different depending on environment, platform etc
   The following users say it would be alright if the author of this post didn't die in a fire!

   • Cowboy2013
3. 2024-04-07 at 5:42 PM UTC

   #3
   

   Mighest Houston
   I like Asian girls.
   
   That's all I have for now.
4. 2024-04-07 at 5:50 PM UTC

   #4
   

   Mighest Houston
   Reading up on this, I realize this was actually a very big close call.
   
   This may have even been a government entity.
5. 2024-05-01 at 9:24 PM UTC

   #5
   greyok Yung Blood
   This got me paranoid when i went to update linux mint and its name was virginia. I updated to victoria only
6. 2024-05-01 at 9:42 PM UTC

   #6
   The Self Taught Man Black Hole

   Originally posted by ner vegas interesting they added a patch to the makefiles rather than straight up updating the code

   
   That was to get the binaries into the compilation process. They hid the binaries as if they were test binaries, due to it being a cryptographic library it would have been sort of normal enough to use a binary file (which would have been a known encrypted file) as a test file. And makefiles are mess that make no sense to me, so no one read it and since everyone hates test anyway it got overlooked. It was only caught when someone noticed SSH login was slower on infected machines.
   The following users say it would be alright if the author of this post didn't die in a fire!

   • Mighest
7. 2024-05-11 at 8:44 AM UTC

   #7
   

   CodeNiggHardR Houston

   Originally posted by Donald Trump That was to get the binaries into the compilation process. They hid the binaries as if they were test binaries, due to it being a cryptographic library it would have been sort of normal enough to use a binary file (which would have been a known encrypted file) as a test file. And makefiles are mess that make no sense to me, so no one read it and since everyone hates test anyway it got overlooked. It was only caught when someone noticed SSH login was slower on infected machines.

   
   yikes man
8. 2024-05-11 at 1:54 PM UTC

   #8
   Cowboy2013 African Astronaut
   So what does all this mean in laymans terms?
9. 2024-05-11 at 2:08 PM UTC

   #9
   

   ner vegas African Astronaut

   Originally posted by Cowboy2013 So what does all this mean in laymans terms?

   
   someone added malware to a dependency for openssh, which is more or less the standard for secure remote access on lunix servers/machines
   
   people caught on before it became a widespread problem, and the way that the code was added made it very unreliable so it was rolled back before it did any real damage
   The following users say it would be alright if the author of this post didn't die in a fire!

   • Cowboy2013, 
   • Mighest
10. 2024-05-11 at 10:55 PM UTC

    #10
    The Self Taught Man Black Hole
    The person with the key corresponding to the one that was inserted could have logged into any of the infected serbians.
    
    It was only caught as the key check slowed down ssh login noticeably.
11. 2024-05-11 at 11:51 PM UTC

    #11
    

    Mighest Houston
    There was actually a nice sneaky social engineering part as well. "People" were pushing for the culprit to be in change. They actually fell for it and he/she immediately changed important shit.
12. 2024-05-11 at 11:58 PM UTC

    #12
    

    ner vegas African Astronaut

    Originally posted by Donald Trump The person with the key corresponding to the one that was inserted could have logged into any of the infected serbians.
    
    It was only caught as the key check slowed down ssh login noticeably.

    
    the reason why it was running so slowly on those machines is because the patch failed and bricked lzma, not sure what the success ratio is but an in-memory patch like that is only really done on a consistent target platform
    The following users say it would be alright if the author of this post didn't die in a fire!

    • The Self Taught Man, 
    • SBTlauien