I have managed to extract a list of encoded strings within the liblzma/xz backdoor payload (5.6.1):
https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01
The code has a dictionary of strings that are encoded as a prefix trie, which helps to keep things stealthy. This is eg. then used to look up symbols, eg. bd_elf_lookup_hash(..., 0x2b0, ...) means bd_elf_lookup_hash(..., "__libc_stack_end", ...). This is also why it's slow :).
This should bring us one step closer to knowing what the binary payload does.
Follow
Re the supposed killswitch: I don't get the point of a killswitch. Where would malware authors use it?
@robryk
My guess is that they want to use the killswitch when they want to use the real sshd rather than their replacement one. Especially in case their replacement one is ... buggy.
@q3k @zeno