Part 1: XZ backdoor story – Initial analysisPart 2: Assessing the Y, and How, of the XZ Utils incident (social engineering)
In our first article on the XZ backdoor, we analyzed its code from initial infection to the function hooking it performs. As we mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation. In this article, we will focus on the backdoor’s behavior inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time.
To better understand what’s going on, we recommend you to read Baeldung’s article about SSH authentication methods and JFrog’s article about privilege separation in SSH.
Key findings
Our analysis revealed the following interesting details about the backdoor’s functionality:
The attacker set an anti-replay feature to avoid possible capture or hijacking of the backdoor communication.
The backdoor author used a custom steganography technique in the x86 code to hide the public key, a very clever technique to hide the public key.
The backdoor hides its logs of unauthorized connections to the SSH server by hooking the logging function.
The backdoor hooks the password authentication function to allow the attacker to use any username/password to log into the infected server without any fu ..
Support the originator by clicking the read the rest link below.
