In the wake of the recent XZ Utils supply chain attack that saw a backdoor injected into the popular data compression tool, cybersecurity firm Binarly has released a free online scanner to detect whether any Linux executable has been impacted by the malicious code. The scanner can identify the XZ backdoor, tracked as CVE-2024-3094, across any binary file regardless of whether it is the XZ Utils package itself or any other application or library.
The XZ Utils supply chain compromise came to light in late March when Microsoft engineer Andres Freud discovered an insidious backdoor had been inserted into version 5.6.0 and 5.6.1 of the XZ Utils package by a pseudonymous contributor. The backdoor code allowed remote code execution by intercepting execution flows at runtime using a tampering technique targeting GNU Indirect Functions (IFUNC).
While only a relatively small number of “bleeding edge” Linux distributions that quickly adopted the new XZ versions were initially impacted, the sophistication of the implant raised concerns.
Free Online Scanning
To allow the wider cybersecurity community to scan for and detect the XZ backdoor and any future variants utilizing similar techniques, Binarly has made their scanner available for free online at xz.fail.
Users can upload any suspicious binary files to the website for unlimited scanning at no cost. For organizations needing to scan large numbers of binaries, Binarly has also provided a free API to enable bulk automated scanning.
The availability of this advanced behavioral scanner is a major boost in the ongoing efforts to remediate the XZ Utils compromise and protect Linux systems and applications from its potential impacts. By taking a more holistic analysis approach, Binarly’s solution increases the ability to IdentifyActive sophisticated implants that could otherwise go undetected by basic indicators alone.
As supply chain attacks continue escalating, security teams need new defensive capabilities to combat these insidious threats. Binarly’s XZ backdoor scanner represents a significant step in that direction, empowering defenders with behavioral analysis to expose even the most advanced obfuscated malware across the software ecosystem.
Limitations of Existing Detection Methods
In the initial response, cybersecurity authorities like CISA recommended downgrading to the safe XZ 5.4.6 version and hunting for signs of the malicious activity using basic indicators like byte string matching, file hashes, and YARA rules. However, Binarly pointed out that these conventional detection methods have significant limitations that could lead to false positives and alert fatigue, while failing to identify variants of the sophisticated XZ backdoor if deployed elsewhere.
Detecting Execution Flow Anomalies
To provide more comprehensive detection capabilities, Binarly developed a dedicated scanner that uses static binary analysis to identify the specific technique used to tamper with IFUNC resolvers and modify execution flows.
The scanner examines transitions in the binary’s execution paths that have been marked as suspicious,IndicatingAtive of malicious IFUNC resolver implantation. It looks for anomalies where the execution is hijacked and redirected using the IFUNC technique to run malicious code.
The scanner essentially patterns abnormal execution flows that match the XZ backdoor’s modus operandi, making it capable of identifying the implant in any Linux binary on any system, not just the XZ Utils package itself.