Hacker News new | past | comments | ask | show | jobs | submit login

Focusing on sshd is the wrong approach. The backdoor was in liblzma5. It was discovered to attack sshd, but it very likely had other targets as well. The payload hasn't been analyzed yet, but _almost everything_ links to libzma5. Firefox and Chromium do. Keepassxc does. And it might have made arbitrary changes to your system, so installing the security update might not remove the backdoor.



From what I'm understanding it's trying to patch itself into the symbol resolution step of ld.so specifically for libcrypto under systemd on x86_64. Am I misreading the report?

That's a strong indication it's targeting sshd specifically.


Lots of software links both liblzma and libcrypto. As I read Andres Freund's report, there is still a lot of uncertainty:

"There's lots of stuff I have not analyzed and most of what I observed is purely from observation rather than exhaustively analyzing the backdoor code."

"There are other checks I have not fully traced."


As mentioned many times in other places now, this account had control over xz code for 2 years. The discovered CVE might be just a tip of an iceberg.


It checks for argv[0] == "sshd"




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: