Skip to content

Test: Add xz backdoor file#7

Draft
imjasonh wants to merge 7 commits into
mainfrom
test-malicious-file
Draft

Test: Add xz backdoor file#7
imjasonh wants to merge 7 commits into
mainfrom
test-malicious-file

Conversation

@imjasonh

@imjasonh imjasonh commented Jun 13, 2025

Copy link
Copy Markdown
Contributor

Test PR for Malcontent Detection

This PR intentionally adds the xz backdoor file (liblzma.so.5.4.5 and lzma.so.5.6.1) from the 2024 xz-utils incident to test how the malcontent-action detects and reports malicious behaviors.

Expected Result

The malcontent action should:

  1. Detect this as a high-risk file
  2. Show detailed behaviors in the PR comment
  3. Fail the check due to fail-on-increase: true

File Added

  • liblzma.so.5.6.1 - The backdoored compression library from the xz-utils supply chain attack

Note: This is for testing purposes only and will not be merged.

@github-actions

github-actions Bot commented Jun 13, 2025

Copy link
Copy Markdown

🔴 Security Risk Increased (+23 points)

New Files with Security Findings

📄 liblzma.so.5.6.1

Risk Score: 21

Behaviors detected:

  • 🔴 liblzma backdoored [CRITICAL]
    • Match: $a1
  • 🔴 liblzma backdoor, encoded strings [CRITICAL]
    • Match: $a1
  • 🔴 Linux.Trojan.XZBackdoor [CRITICAL]
    • Match: $a1
  • 🔴 Detects injected code used by the backdoored XZ library (xzutil) CVE-2024-3094. [CRITICAL]
    • Match: $op1
  • 🟠 suspicious runtime dependency resolution [HIGH]
    • Match: __tls_get_addr
  • 🟢 works with lzma files [LOW]
    • Match: lzma
  • 🟢 creates pthreads [LOW]
    • Match: pthread_create

📄 liblzma.so.5.4.5

Risk Score: 2

Behaviors detected:

  • 🟢 works with lzma files [LOW]
    • Match: lzma
  • 🟢 creates pthreads [LOW]
    • Match: pthread_create
📊 Summary Table
File Status Risk Change Behaviors
liblzma.so.5.6.1 Added +21 7
liblzma.so.5.4.5 Added +2 2
🔍 Raw JSON Report
{
  "Diff": {
    "Added": {
      "/head/liblzma.so.5.4.5": {
        "Path": "/head/liblzma.so.5.4.5",
        "SHA256": "31011cc5e4f71d6b5750a9796b4ff38d11e80c4d62be038c798c89396088a888",
        "Size": 194552,
        "Syscalls": [
          "pthread_create"
        ],
        "Behaviors": [
          {
            "Description": "works with lzma files",
            "MatchStrings": [
              "lzma"
            ],
            "RiskScore": 1,
            "RiskLevel": "LOW",
            "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma",
            "ReferenceURL": "https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm",
            "ID": "data/compression/lzma",
            "RuleName": "lzma"
          },
          {
            "Description": "creates pthreads",
            "MatchStrings": [
              "pthread_create"
            ],
            "RiskScore": 1,
            "RiskLevel": "LOW",
            "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create",
            "ReferenceURL": "https://man7.org/linux/man-pages/man3/pthread_create.3.html",
            "ID": "process/multithreaded",
            "RuleName": "pthread_create"
          }
        ],
        "RiskScore": 1,
        "RiskLevel": "LOW"
      },
      "/head/liblzma.so.5.6.1": {
        "Path": "/head/liblzma.so.5.6.1",
        "SHA256": "605861f833fc181c7cdcabd5577ddb8989bea332648a8f498b4eef89b8f85ad4",
        "Size": 247800,
        "Syscalls": [
          "pthread_create"
        ],
        "Behaviors": [
          {
            "Description": "liblzma backdoored",
            "MatchStrings": [
              "$a1",
              "$a2"
            ],
            "RiskScore": 4,
            "RiskLevel": "CRITICAL",
            "RuleURL": "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/unk_liblzma_backdoor.yara#L1-L30",
            "ReferenceURL": "https://seclists.org/oss-sec/2024/q1/268",
            "RuleAuthor": "Costin G. Raiu, Art of Noh, craiu@noh.ro",
            "RuleLicenseURL": "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE",
            "ID": "3P/craiu/unk_liblzma_backdoor",
            "RuleName": "CRAIU_Unk_Liblzma_Backdoor"
          },
          {
            "Description": "liblzma backdoor, encoded strings",
            "MatchStrings": [
              "$a1",
              "$a2",
              "$a3"
            ],
            "RiskScore": 4,
            "RiskLevel": "CRITICAL",
            "RuleURL": "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/files/unk_liblzma_backdoor.yara#L32-L70",
            "ReferenceURL": "https://gist.github.com/q3k/af3d93b6a1f399de28fe194add452d01",
            "RuleAuthor": "Costin G. Raiu, Art of Noh, craiu@noh.ro",
            "RuleLicenseURL": "https://github.com/craiu/yararules/blob/23cf0ca22021fa3684e180a18416b9ae1b695243/LICENSE",
            "ID": "3P/craiu/unk_liblzma_encstrings",
            "RuleName": "CRAIU_Unk_Liblzma_Encstrings"
          },
          {
            "Description": "Linux.Trojan.XZBackdoor",
            "MatchStrings": [
              "$a1",
              "$a2",
              "$b1",
              "$b2",
              "$b3"
            ],
            "RiskScore": 4,
            "RiskLevel": "CRITICAL",
            "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/yara/elastic/Linux_Trojan_XZBackdoor.yar#Linux_Trojan_XZBackdoor_74e87a9d",
            "RuleAuthor": "Elastic Security",
            "RuleLicense": "Elastic License v2",
            "ID": "3P/elastic/xzbackdoor",
            "RuleName": "Linux_Trojan_XZBackdoor_74e87a9d"
          },
          {
            "Description": "Detects injected code used by the backdoored XZ library (xzutil) CVE-2024-3094.",
            "MatchStrings": [
              "$op1",
              "$op2",
              "$op3",
              "$xc1"
            ],
            "RiskScore": 4,
            "RiskLevel": "CRITICAL",
            "RuleURL": "https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/yara/bkdr_xz_util_cve_2024_3094.yar#L19-L46",
            "ReferenceURL": "https://www.openwall.com/lists/oss-security/2024/03/29/4",
            "RuleAuthor": "Florian Roth",
            "RuleLicenseURL": "https://github.com/Neo23x0/signature-base/blob/391a990859091dbc4c21d15db335b371090f606e/LICENSE",
            "ID": "3P/sig_base/bkdr_xzutil_binary",
            "RuleName": "SIGNATURE_BASE_BKDR_Xzutil_Binary_CVE_2024_3094_Mar24_1"
          },
          {
            "Description": "works with lzma files",
            "MatchStrings": [
              "lzma"
            ],
            "RiskScore": 1,
            "RiskLevel": "LOW",
            "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/data/compression/lzma.yara#lzma",
            "ReferenceURL": "https://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm",
            "ID": "data/compression/lzma",
            "RuleName": "lzma"
          },
          {
            "Description": "suspicious runtime dependency resolution",
            "MatchStrings": [
              "__tls_get_addr"
            ],
            "RiskScore": 3,
            "RiskLevel": "HIGH",
            "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/discover/process/runtime_deps.yara#sus_dylib_tls_get_addr",
            "ID": "discover/process/runtime_deps",
            "RuleName": "sus_dylib_tls_get_addr"
          },
          {
            "Description": "creates pthreads",
            "MatchStrings": [
              "pthread_create"
            ],
            "RiskScore": 1,
            "RiskLevel": "LOW",
            "RuleURL": "https://github.com/chainguard-dev/malcontent/blob/main/rules/process/multithreaded.yara#pthread_create",
            "ReferenceURL": "https://man7.org/linux/man-pages/man3/pthread_create.3.html",
            "ID": "process/multithreaded",
            "RuleName": "pthread_create"
          }
        ],
        "RiskScore": 4,
        "RiskLevel": "CRITICAL"
      }
    },
    "Removed": {},
    "Modified": {}
  }
}

@egibs

egibs commented Jun 13, 2025

Copy link
Copy Markdown
Member

😎

@egibs

egibs commented Jun 14, 2025

Copy link
Copy Markdown
Member

If you add 5.6.0 or 5.6.1 you should see this light up.

We've got samples here: https://github.com/chainguard-dev/malcontent-samples/tree/main/linux/2024.xzutils

@imjasonh
imjasonh marked this pull request as draft June 16, 2025 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants