Hello and welcome to the Tuesday, April 2, 2020, 24 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

I'm just going to start with a quick wrap-up and some small updates regarding the XC Utils Backdoor.

Overall, no major news really sort of broke today regarding it.

A lot of clarifications and details.

Boyan did post the reverse engineering details that I mentioned yesterday.

So if you're interested in some of this, take a look at the blog post.

We're still hoping to put together some kind of video content for Tuesday.

Once that's live, I'll definitely advertise it on the Internet Storms on our website and our various social media outlets.

I would expect it to go live afternoon, Eastern Time.

As far as updates and details go, Andrews Freund did clarify that the initial indicator wasn't

the delayed login, but instead just logins failing.

This is definitely a feature slash bug in the early versions of the back door,

in particular the one that was released with 560.

I've seen at least one attempt to create a honeypot, also one sort of demo of the actual backdoor in order to create the demo.

A different key was used to log in to the SSH server.

Remember that the backdoor triggers on a particular key being used to connect to SSH.

Of course, the private key here is not known,

and the demo base just swapped the keys out for a known key,

so the backdoor actually worked.

That's helpful to kind of verify some of the static code analysis

that people like Boyon have performed on this backdoor.

...