Binarly Introduces Free Online Scanner to Detect Linux Backdoor

April 2, 2024

Binarly has rolled out a free online tool to scan for Linux executables impacted by the XZ Utils supply chain attack, tracked as CVE-2024-3094. This vulnerability is a supply chain compromise in XZ Utils, a collection of data compression utilities and libraries widely used in various significant Linux distributions. The backdoor was first discovered by Andres Freud, a Microsoft engineer, in the latest XZ Utils package while investigating slow SSH logins on Debian Sid, a continuously updating version of the Linux distribution. The backdoor was introduced by an anonymous contributor to XZ version 5.6.0 and persisted in version 5.6.1. However, only a handful of Linux distributions and versions that follow a 'bleeding edge' upgrade strategy were affected, with the majority using a prior, secure library version.

Following the discovery of the backdoor, a detection and remediation initiative was launched, with CISA suggesting the downgrade of XZ Utils to 5.4.6 Stable and the reporting of any malicious activity. Binarly argues that the current threat mitigation efforts, which rely on basic checks like byte string matching, file hash blacklisting, and YARA rules, could result in false positives. This method can lead to substantial alert fatigue and does not aid in detecting similar backdoors in other projects.

To resolve this issue, Binarly developed a dedicated scanner that works for this specific library and any file carrying the same backdoor. Binarly's detection technique uses static analysis of binaries to detect tampering of transitions in GNU Indirect Function (IFUNC). The scanner specifically examines the transitions marked as suspicious during the implantation of malicious IFUNC resolvers. The GCC compiler's IFUNC attribute allows developers to create various versions of the same function, which are then selected at runtime based on different criteria, such as the processor type.

Binarly explains, 'One of the core techniques used by the XZ backdoor to gain initial control during execution is the GNU Indirect Function (ifunc) attribute for the GCC compiler to resolve indirect function calls in runtime. The implanted backdoor code initially intercepts or hooks execution.' The backdoor exploits this mechanism by modifying IFUNC calls to intercept or hook execution, leading to the insertion of malicious code.

Binarly's scanner enhances detection as it scans for various supply chain points beyond just the XZ Utils project, and the results are of much higher confidence. Binarly's lead security researcher and CEO, Alex Matrosov, said, 'This detection is based on behavioral analysis and can detect any variants automatically if a similar backdoor is implanted somewhere else. Even after recompilation or code changes, we will detect it.' The backdoor scanner is available online at xz.fail, where users can upload their binary files for unlimited free checks.

Related News

• Malicious Code in XZ Utils for Linux Enables Remote Code Execution
• Intricate Supply Chain Attack Implants Backdoor in XZ Utils
• Backdoor Detected in XZ Utils: Who is at Risk?

Latest News

• Malicious Code in XZ Utils for Linux Enables Remote Code Execution
• Intricate Supply Chain Attack Implants Backdoor in XZ Utils
• Backdoor Detected in XZ Utils: Who is at Risk?
• TeamCity Patches 26 Security Flaws, Implements Semi-Automatic Updates
• Google Patches Chrome Zero-Days Exposed at Pwn2Own 2024