I have managed to extract a list of encoded strings within the liblzma/xz backdoor payload (5.6.1):

gist.github.com/q3k/af3d93b6a1

The code has a dictionary of strings that are encoded as a prefix trie, which helps to keep things stealthy. This is eg. then used to look up symbols, eg. bd_elf_lookup_hash(..., 0x2b0, ...) means bd_elf_lookup_hash(..., "__libc_stack_end", ...). This is also why it's slow :).

This should bring us one step closer to knowing what the binary payload does.

Follow

@q3k

Re the supposed killswitch: I don't get the point of a killswitch. Where would malware authors use it?

@robryk

My guess is that they want to use the killswitch when they want to use the real sshd rather than their replacement one. Especially in case their replacement one is ... buggy.

@q3k @zeno

Sign in to participate in the conversation
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.