Tools to scan OS distributions for backdoor indicators.
The toolkit used for the xz-utils backdoor is far too sophisticated to be a first draft. Were there earlier iterations of this, that shared some things in common but were slightly simpler, injected into other projects? Can we detect the style/"fist" of the author elsewhere? Moreso the delivery mechanics than the contents of the extracted+injected malicious .so.
These scripts unpack the source packages for all of a distro repo's current packages, then scan them for content similar to the malware that was added to xz-utils.
Running over the unpacked source trees of ~19k Gentoo packages and ~40k Debian packages gives a manageable amount of results (~hundreds of hits), digestable by a human. So far the only confirmed malicious results are... from the backdoored xz-utils versions.
Stuff discovered while analyzing the malware hidden in xz-utils 5.6.0 and 5.6.1.
Notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094).
Archive of the xz/liblzma backdoor thread, ongoing on oss-security.