Binarly Introduces Free Online Scanner to Detect Linux Backdoor

April 2, 2024

Binarly has rolled out a free online tool to scan for Linux executables impacted by the XZ Utils supply chain attack, tracked as CVE-2024-3094. This vulnerability is a supply chain compromise in XZ Utils, a collection of data compression utilities and libraries widely used in various significant Linux distributions. The backdoor was first discovered by Andres Freud, a Microsoft engineer, in the latest XZ Utils package while investigating slow SSH logins on Debian Sid, a continuously updating version of the Linux distribution. The backdoor was introduced by an anonymous contributor to XZ version 5.6.0 and persisted in version 5.6.1. However, only a handful of Linux distributions and versions that follow a 'bleeding edge' upgrade strategy were affected, with the majority using a prior, secure library version.

Following the discovery of the backdoor, a detection and remediation initiative was launched, with CISA suggesting the downgrade of XZ Utils to 5.4.6 Stable and the reporting of any malicious activity. Binarly argues that the current threat mitigation efforts, which rely on basic checks like byte string matching, file hash blacklisting, and YARA rules, could result in false positives. This method can lead to substantial alert fatigue and does not aid in detecting similar backdoors in other projects.

To resolve this issue, Binarly developed a dedicated scanner that works for this specific library and any file carrying the same backdoor. Binarly's detection technique uses static analysis of binaries to detect tampering of transitions in GNU Indirect Function (IFUNC). The scanner specifically examines the transitions marked as suspicious during the implantation of malicious IFUNC resolvers. The GCC compiler's IFUNC attribute allows developers to create various versions of the same function, which are then selected at runtime based on different criteria, such as the processor type.

Binarly explains, 'One of the core techniques used by the XZ backdoor to gain initial control during execution is the GNU Indirect Function (ifunc) attribute for the GCC compiler to resolve indirect function calls in runtime. The implanted backdoor code initially intercepts or hooks execution.' The backdoor exploits this mechanism by modifying IFUNC calls to intercept or hook execution, leading to the insertion of malicious code.

Binarly's scanner enhances detection as it scans for various supply chain points beyond just the XZ Utils project, and the results are of much higher confidence. Binarly's lead security researcher and CEO, Alex Matrosov, said, 'This detection is based on behavioral analysis and can detect any variants automatically if a similar backdoor is implanted somewhere else. Even after recompilation or code changes, we will detect it.' The backdoor scanner is available online at, where users can upload their binary files for unlimited free checks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.