August 31, 2024 to September 2, 2024
JECRC Foundation
Asia/Kolkata timezone

How to extract the XZ backdoor malware payload

Sep 1, 2024, 1:55 PM
30m
Main hall (JECRC Foundation)

Main hall

JECRC Foundation

Shri Ram ki Nangal, via Sitapura RIICO Tonk Road, Jaipur, Rajasthan 302 022 India
Talk Security and Compliance

Speaker

博仁(Buo-ren) 林(Lin)

Description

CVE-2024-3094 is the infamous XZ backdoor incident that consists of a supply-chain attack where an evil actor injected a hidden malware blob into the XZ Utils software packages after successfully becoming one of the project's maintainers. The backdoor successfully being taken into Debian and Ubuntu development versions but, at the very late moment, was caught and stripped away by the community.

This talk demonstrates a step-by-step process to safely extract the malware payload from the tainted XZ Utils release tarballs on a Ubuntu system. It is recommended for beginners who are interested in open-source software security and would like to have a glimpse of how such malicious practices may be identified in practice. This talk only covers extracting the injected malware blob, but not the reverse-engineering against it.

Biography

林博仁(Buo-ren, Lin) is a long-time Ubuntu user and promoter and has mainly contributed to Ubuntu localization(L10N) and Snap packaging. Previously being a DevOps engineer at SinoItan Technology, Ltd. he has investigated and provided insights to many security incidents.

What audience can learn

  • How to safely investigate a potentially maliciously modified file.
  • How to properly verify whether the software is really from a specific publisher.
  • Typical build process of a GNU Autoconf-based software.
  • Comparing difference between a vanilla and modified software

Things to know or prepare for this session

The audience needs to have a basic understanding of:

  • Unix command-line operation
  • Container and virtual machines

Summary

This talk demonstrates a step-by-step process to safely extract the malware payload from the tainted XZ Utils release tarballs on a Ubuntu system.

Difficulty level Begineer

Presentation materials