hngopher.com

       [HN Gopher] Xz sshd backdoor collecting usernames from logs
       ___________________________________________________________________
        
       Xz sshd backdoor collecting usernames from logs
        
       Author : babuskov
       Score  : 123 points
       Date   : 2024-04-25 18:36 UTC (4 hours ago)
        
 (HTM) web link (isc.sans.edu)
 (TXT) w3m dump (isc.sans.edu)
        
       | SubiculumCode wrote:
       | Looks like the site is slowing down: This is the primary source:
       | https://www.openwall.com/lists/oss-security/2024/03/29/4
        
         | thenewwazoo wrote:
         | That's the original report. This article is further inspection
         | of the payload, dating from April 1.
        
       | unethical_ban wrote:
       | Unrelated to the quality of the content:
       | 
       | This is not a new vuln. Nothing is actively occurring.
        
       | AshamedCaptain wrote:
       | > The author(s) of the backdoor went a long way to make the
       | backdoor look as innocent as possible.
       | 
       | No, not really. The technical part of this backdoor is not
       | interesting at all. Obfuscating strings? Give me a break. That's
       | something your average commercial developer does. It wouldn't
       | even qualify as DRM. Wake me up when the software is self-
       | modifying and/or written in a way that makes IDA crash (seen it a
       | lot, and I am not a security engineer).
       | 
       | "Innocent as possible" would be the something like that Debian
       | weak keys fiasco, or the misleading indentation patch, etc. Those
       | offer much more plausible deniability than this. "Innocent as
       | possible" and interesting technical-wise would be something like
       | the NIST curves. Decades from now people will still be arguing if
       | they are backdoored or not.
       | 
       | The interest in this exploit is on the community/supply side of
       | things, but hardly the technical aspects.
        
         | paran0ia wrote:
         | Isn't it self-modifying in a way? To my understanding code is
         | injected by unpacking the binary test files and injecting right
         | before build?
        
           | mrob wrote:
           | "Self-modifying" means modifying code at runtime.
        
       | squigz wrote:
       | Title is "The amazingly scary xz sshd backdoor" which is...
       | dramatic
        
       ___________________________________________________________________
       (page generated 2024-04-25 23:02 UTC)