La pericolosa backdoor a Linux, disastro sventato da un solo ricercatore thumbnail

The dangerous backdoor to Linux, a disaster prevented by a single researcher

A meticulously planned potential cyber attack, using social engineering to spread a backdoor that would put millions of users around the world at risk – one of the most ambitious hacker plans ever. Never cybercriminals (or perhaps spies) have not reckoned with a computer researcher who, alone, was able to solve the possible problem. Andres Freunda Microsoft employee, foiled in his spare time the mammoth plan to spread a devastating malware in Linux distributions, through a backdoor opened with painstaking patience by hackers.

Linux malware, the devastating backdoor discovered by a (single) researcher

Ever since Linus Torvalds created the first operating system kernel, Linux has been the choice of those who appreciate “free software“. A growing percentage this year, reaching approximately 4% of the desktop market. But to understand the enormity of the attack attempted by hackers not yet identified, it is not enough to think about PCs. Over 90% of servers worldwide are based on this technologyas well as all Android smartphones and almost all smart home products.

Not all of these systems, however, were truly at risk. But as PandaSecurity recalls, this attack received the highest possible threat score, ten out of ten: after the alarm bell of Andre's friendmany Linux distributions (the various “variants” of the operating system) and even macOS, which uses the compromised library for some functions, had to verify the security of the libraries, XZ Utils. An opensource utility created by developer Lasse Collin and integrated into most Linux distributions — and more.

Social Engineering: Hackers attack an overworked developer

XZ Utils has been used without problems for years for data compression on computers and servers. We repeat: from many machines all over the world. But as often happens for an open source library, its evolution and the closure of any bugs it is in the hands of a person. Furthermore, by not charging for their contribution, it often happens that the person who follows these software does it in their free time, when they have finished programming for work and can do it just for the pleasure of contributing to the software development of other users.


So, it happens that whoever created these libraries needs to get help from someone. As DDay explains well, in 2020, among the users who collaborated on the project as contributors, a certain Jia Tanusername on GitHub JiaT75. Lasse Collin, the developer who had created

The true face of the collaborator

Demands that continued to grow, while Collin's available time did not. So, he decided to make it Jia Tan a “co-maintainer”. Once she got this role, Jia Tan showed her true intentions. He has, in fact, hidden some malware dentro XZ Utils, not in the code published on Github freely accessible, but exclusively inside the “tarball“, i.e. the file already archived in the library. Where the other voluntary users could not evaluate the danger.

But Jia Tan's patience isn't the only piece of social engineering that fooled Collin and everyone who used this library. Almost all the users who asked for improvements to XZ Utils did not exist, they were all users created at different times using anonymous accounts. And who had in turn contributed, in an apparently honest manner, to other codes on Github, to appear credible.

In the months following the insertion of the backdoor into XZ Utils, other fake users began pushing the managers of the various Linux distributions to include the most updated version of XZ Utils in their distro, the one with the malware. In this way, they pushed to distribute and spread the backdoor.

Linux malware: a possible coordinated attack, foiled by a single researcher

Jia Tan started contributing to XZ Utils in 2020, but perhaps the plan began even earlier. This means that whoever is behind this attack, whether cybercriminals or a government agency, has been working for years on a large-scale coordinated attack. All this, attacking a programmer in difficulty because he is alone. But one other researcher alone prevented this attack from taking effect.


Andres Freund had finished his day job as a Microsoft researcher, and was fiddling with his PC. He wanted to reduce the speed of the fans, to make it quieter. But he realized that something was wrong when he, analyzing the performance of his computer, noticed that of the SSHD processes were using a surprising amount of CPU (the processor). However, they kept failing due to incorrect usernames.

The processes SSHD allow you to perform accessing a remote computer: if a hacker manages to compromise them, he has opened the “virtual door” to your PC or server. Freund, therefore, became suspicious and analyzed the situation. The technical analysis is quite complicated to follow (here is Freund's post if you want to delve deeper), but what the researcher discovered is a backdoor that could have allowed a hacker to access your PC or server.

Danger averted, but attention is needed

Andres Freund's discovery foiled a plan to spread devastating malware across Linux distributions. The widespread distribution of this library would have allowed whoever was behind this attack to have access to a huge number of Linux servers and computers. And online the consensus of security experts seems unanimous: We have been lucky.

If Freund hadn't noticed this backdoor in time, the damage could have become incalculable. A single researcher was able to remedy a huge coordinated attack that targeted a programmer, who had to lower his guard because he was the target of a social engineering attack. And that perhaps he shouldn't have been left alone to manage such an important bookshop.

Stay updated by following us on Google News!

Don't miss this week on Techbusiness

💡 Fastweb enters the energy market: Fastweb Energia electricity offers
🤖 Apple wants to bring robots into our homes
🎸 What is the Elvis Act, which wants to protect artists from AI
📺 The success of free streaming TV channels: Interview with Marcos Milanez from Rakuten TV
✒️ Our unmissable Caffellattech newsletter! Sign up here
🎧 But did you know that Fjona also has her own newsletter?! Sign up to SuggeriPODCAST!
📺 You can also find Fjona on RAI Play con Touch – Fingerprint!
💌 Let's solve your heart problems with B1NARY
🎧 Listen to our unmissable podcast Tech life
💸And you can find some interesting offers on Telegram!

Walker Ronnie is a tech writer who keeps you informed on the latest developments in the world of technology. With a keen interest in all things tech-related, Walker shares insights and updates on new gadgets, innovative advancements, and digital trends. Stay connected with Walker to stay ahead in the ever-evolving world of technology.