The company Binarly has released a free online scanner to detect the malicious virus CVE-2024-3094.

Researchers from the firmware security firm Binarly released a free online scanner to detect the CVE-2024-3094 patch last week. Microsoft engineer Andres Freund discovered an issue with the patch in the latest versions of the "xz" tools and libraries. The vulnerability has been tracked as CVE-2024-3094 and received a CVSS score of 10. Red Hat strongly advises users to immediately stop using systems running development and experimental versions of Fedora due to the patch.

XZ is a popular data compression format implemented in almost all Linux distributions, including both public and commercial versions. Malicious code discovered by researchers is hidden and only present in the downloadable package. The malicious code is not included in the Git distribution due to the lack of the necessary M4 macro to trigger the build of the malicious code. The malicious build interferes with authentication in sshd through systemd.

Binarly has created a free scanner to help the industry combat threats, noting that the detection method they use produces almost no false positives. The company claims that most tools developed by other experts focus on simple version checks, detecting stub components based on hashes, or YARA rules with unique string constants. Such approaches to stub detection can lead to false alarms.

"To generally detect such implantations, we decided to focus on analyzing the behavior of ifunc transitions using our Binary Intelligence technology. The detection method is entirely based on static analysis, where we identify overlapping control flow graphs of transitions," the company stated in a message. "Such detection methods can reveal potential flow control violations during the implantation of malicious ifunc resolvers. This technique operates on a general method and will be able to detect invariants or the reuse of payloads in other software supply chain attacks."

A scanner for detecting the XZ plug is available for free at XZ.fail, where users can upload their binary files to check for possible malware implantation.