4 min Security

Makers of infamous xz backdoor cleverly managed to cover their tracks, analysis shows

Insight: Security

Makers of infamous xz backdoor cleverly managed to cover their tracks, analysis shows

The backdoor in the xz compression tool for Linux that came to light earlier this year used several sophisticated techniques to remain undetected. One of the most notable is the use of custom steganography. The creator of the backdoor used this to hide the public key in x86 binary code.

Steganography involves hiding information in another medium, such as an image, audio, video, or even text, by adding specific patterns. According to an analysis by cybersecurity firm Kaspersky, this method was used here. This company has devoted a series of articles to the incident.

The backdoor could potentially give a malicious actor unauthorized access to an entire system. It inserts code during the SSH login process and uses a public key from the binary to decrypt and verify the payload data.

Initially unclear how it all worked

It has long remained unclear how the generation of this key worked. Kaspersky researchers admit in their article that they were initially none the wiser either. When checking the key-extraction procedure, it seemed the backdoor’s creators had created code that generated a correct public key before the private key. This should be impossible. Normally, the Elliptic Curve algorithm generates the private key first, and then the public key is derived from it.

After fruitlessly analyzing the binary code of various cryptographic libraries, the researchers returned to the original backdoor code. Then, they discovered that the keys were ‘simply’ generated using a regular procedure. However, this was difficult to figure out because the malicious actor applied custom steganography to the x86 code, hiding the public key among ‘regular’ code.

Additional devious strategies

The backdoor contained additional trickery to avoid detection. For example, an anti-replay mechanism was implemented to prevent communications from the backdoor from being intercepted and possibly replayed elsewhere. It also erased its traces in the SSH server’s logging function.

To gain access to compromised servers, the backdoor hooked into the password authentication function. This allowed an attacker to access an infected server with any username and password combination, without needing further authentication.

As icing on this cleverly crafted but toxic cake, the backdoor allowed attackers to execute code remotely, essentially allowing them to completely control the infected server.

Thankfully, that never happened due to the timely discovery by a Microsoft employee. The compromised 5.6.0 and 5.6.1 versions of xz ended up in only a few Linux distributions. Most of these were development, test, or experimental versions that were not in frequent use.

Clever coding and social engineering

The Kaspersky researchers speak of a ‘highly sophisticated threat’. Hiding the public key would have made recovery difficult if the backdoor had been actively exploited. The case also involved ‘social engineering’ to gain the trust of the original creator of the xz compression tool.

That person allegedly suffered from health problems and passed the torch to one Jia Tan after frequent insistence by third parties (probably co-conspirators). Jia Tan had already made several contributions and gained the appearance of legitimacy through endorsements from others. Over the course of two years, this person (or persons) gradually hijacked the project and added the malicious code piece by piece.

Use of Kaspersky software curtailed

Kaspersky has offered an insightful breakdown of the campaign. However, we would be remiss if we failed to mention that several European countries either prohibit the use of Kaspersky software by government bodies or have issued warnings about using their solutions. From 20 July, this Russian company’s security solutions may not be sold or used in the US altogether.

After 29 September, even software updates for existing customers are banned in America. This is because the Russian government supposedly exerts direct influence on the work of the security specialist.

Also read: xz backdoor shows how vulnerable open-source is to hackers playing the long game