transcript

Screenshot of github showing part of the commit message of this commit with this text:

Remove the backdoor found in 5.6.0 and 5.6.1 (CVE-2024-3094).

While the backdoor was inactive (and thus harmless) without inserting
a small trigger code into the build system when the source package was
created, it's good to remove this anyway:

  - The executable payloads were embedded as binary blobs in
    the test files. This was a blatant violation of the
    Debian Free Software Guidelines.

  - On machines that see lots bots poking at the SSH port, the backdoor
    noticeably increased CPU load, resulting in degraded user experience
    and thus overwhelmingly negative user feedback.

  - The maintainer who added the backdoor has disappeared.

  - Backdoors are bad for security.

This reverts the following without making any other changes:

The sentence “This was a blatant violation of the Debian Free Software Guidelines” is highlighted.

Below the github screenshot is a frame of the 1998 film The Big Lebowski with the meme caption “What, are you a fucking park ranger now?” from the scene where that line was spoken.

  • @RedWeasel
    link
    English
    668 months ago

    Seriously. If you are going to do it, write in assembly or something else no one understands.

    • @[email protected]
      link
      fedilink
      1248 months ago

      Tbh jia tan really wasn’t lucky some mf at Microsoft noticed a 500ms delay in ssh. The backdoor was so incredibely clever and Well hidden and ingenious i almost feel bad for him lmao

      • @[email protected]
        link
        fedilink
        788 months ago

        A really good point I heard is: this was likely a state actor attack, so how many others just like this are out there, undiscovered?

        • @[email protected]
          link
          fedilink
          308 months ago

          Unpopular opinion: what if it was not a state actor and just some bored person somewhere that thought it would be cool to own a bot net?

          What if this is just one of many backdoors and it’s just the only one we found?

          • thisisbutaname
            link
            fedilink
            65
            edit-2
            8 months ago

            I heard that person actively contributed for something like 2 years, providing actually useful contributions, to gain the level of trust needed to plant that backdoor. Feels a bit too much to chalk it up to boredom.

            As for the second part, that’s an interesting question. Are there lots of backdoors and we just happened to notice this one, or are backdoors very rare exactly because we’d have found them out soon like in this case?

            • @[email protected]
              link
              fedilink
              18
              edit-2
              8 months ago

              You’d be surprised what I manage with motivation and boredom.
              You’d be surprised what a highly skilled scalled person can manage to achieve.

              Boredom, Skills and Motivation are dangerous things to have if improperly handled.

            • @trolololol
              link
              1
              edit-2
              8 months ago

              Another speculation from the suse team was a private company with intent to sell the exploit to state across actors

              I think there’s lots of known backdoors that are not publicly disclosed and privately sold.

              But given the history of cves in inclined to believe most come from well intentioned developers. When you read the blogs from the Google security team for example, it’s interesting to see how you need to chain a couple exploits at least, to get a proper attack going. Not in this case, it would make it very straightforward to accomplish very intrusive actions.

          • @agent_flounder
            link
            English
            78 months ago

            Nobody is both that bored and that motivated. Unless paid.

            • @[email protected]
              link
              fedilink
              8
              edit-2
              8 months ago

              You forget that a lot of brilliant open source projects are one man shows from geniuses somewhere around the world. They are usually not paid.

              In the other hand, if you get your hands on a powerful botnet, you can rent out its services (like ddos for example) for quite a bit of money.

          • @PapstJL4U
            link
            English
            78 months ago

            The design is Moriarty lvls of complex. State actor might be too specific, but everything but a group of people would be highly unlikely.

          • @[email protected]
            link
            fedilink
            68 months ago

            Realistically I think it’s probably easier to acquire a botnet of less secure systems. This was a targeted attack.

        • @SzethFriendOfNimi
          link
          148 months ago

          It’s scary to think about… a lot of people are now thinking about how we can best isolate our build test process so it works as a test suite but doesn’t have any way to interact with the output or environment.

          It’s just blows my mind to think of the levels of obfuscation this process used and how easy it would be to miss it.

        • @[email protected]
          link
          fedilink
          88 months ago

          I’m surprised that nobody suggested that he was a kidnapped dev. This seems like a different implementation of the pig butchering scams that target ordinary people.

            • @[email protected]
              link
              fedilink
              68 months ago

              I wasn’t joking.

              A good chunk of scam calls and texts come from people who themselves are victims of kidnapping. Many of those victims (primarily in Asia) got into the position they were in because they were looking for work, went to a different country to start a promised job, and then got trapped and forced to work for scam centers that do social engineering attacks.

              These scam centers are sophisticated to the point where they can develop very legitimate-looking crypto trading platforms for targets in the US and other wealthy countries. They then assign one of the kidnapped people to a target. These kidnapped people then social engineer their way for months to get what their captors want - usually money in the aforementioned trading platform. Then, they cut all contact once they have control of the funds.

              How does this relate to XZ? Well, if they can kidnap ordinary people looking for jobs, there’s not much stopping them from including devs in their pool of targets. Afterward, it’s just a rinse and repeat of what they’d done before.

              If you want to look more into pig butchering, John Oliver has a great episode on it.

              • davel [he/him]
                link
                fedilink
                English
                108 months ago

                You don’t kidnap extremely highly skilled internet malware developers and force them to code for you, you just pay them appropriately.

                • Iapar
                  link
                  fedilink
                  98 months ago

                  Jupp. If you trap someone highly skilled and give that person a weapon, the chances are good that this person will use that against you.

                  Like how does a less skilled person know that this code will not send location to the police with a message?

                  • @[email protected]
                    link
                    fedilink
                    17 months ago

                    A bit late, but the police are often paid by captors, so calling the police just leads to punishment.

                • @[email protected]
                  link
                  fedilink
                  38 months ago

                  The malware, sure, but you’re ignoring how they were able to push the malware in the first place.

    • @Wooki
      link
      38 months ago

      Whoa hol up.

      Write the build script in assembly?

      Thats not okay man.

      • @RedWeasel
        link
        English
        18 months ago

        No, it this case the backdoor. Hide it in plain sight.

      • @RedWeasel
        link
        English
        48 months ago

        Neither does the blob it downloaded. Would you think twice about AVX10 support if it was commented as AVX10 support in a compression library? Some might, but would they be the ones reviewing the code? A lot of programs that can take advantage of “handwritten” optimizations, like video decoders/encoders and compression, have assembly pathways so it will take advantage of the hardware when it is available but run when it isn’t. If the reviewers are not familiar with assembly enough something could be snuck in.

        systemD is using dlopens for libraries now and I am not convinced malware couldn’t modify the core executable memory and stay resident even after the dl is unloaded. Difficult, yes, but not impossible.