Re: Malware find in the news: xz related.

On Sun, 31 Mar 2024 15:40:44 -0400, Grant Taylor <gtaylor@tnetconsulting.net> wrote:

On 31.03.2024 um 19:15 Uhr Lew Pitcher wrote:

Still, if I had one of the suspicious xz/liblzma packages installed,
I'd not hesitate to "nuke it from orbit" and replace it with a
known-good version.

>
I'm not a fan of nuke it from orbit as a knee jerk reaction that some
people have.
>
On 3/31/24 14:27, Marco Moock wrote:

The big trouble with that: You need to think that your entire system
is compromised, including the files you had there, passwords you typed,
private keys used.

>
There are two primary forms of compromise here; disclosure and
alteration.  The first is somewhat difficult to prove didn't happen.
The second one can be quite easy to do with good backup systems.
>
Good backup systems that have sufficient history can tell when files
change by comparing content (not just date / time / size / checksum).
As such you can tell what files have been modified and when.  With this
knowledge, you can relatively easily go back to trusted versions across
the entire system (at least what's covered by the backup).
>
There are almost always ways to return a system to a safe state to use.
It's just that they often take more time and effort than nuking the
entire system from orbit.

That's assuming you haven't installed a root kit that can make the contents
appear unchanged when read, but still have the changed version get executed.
If the changed files are on disk, booting from a clean installation, and then
scanning the file system's used in that mangled system can work, but if a root
kit gets into uefi firmware, detection and cleaning become potentially
impossible.
Regards, Dave Hodgins