hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

10K
active users

@rsc Thanks! I was wondering about these strange-looking sed commands, but as you note, any POSIX conformant sed can be turned into cat by "r[non-existing file]", because "[i]f rfile does not exist or cannot be read, it shall be treated as if it were an empty file, causing no error condition". pubs.opengroup.org/onlinepubs/

pubs.opengroup.orgsed

@rsc The "-ffunction-sections -fdata-sections" together with the "--sort-section=name" is probably to make sure the compiled code is in a consistent order. Something in the backdoor might be depending on that.

And you missed the the "-X" aka "--discard-locals", I recall reading on another analysis that the backdoor object used local symbols for its functions, that might be to discard these symbols?

@rsc "Shell quoting inside a quoted string inside a Makefile really is something special."

Ok that made me laugh, but ... a key part of this whole attack which your step by step makes clear is that it is convoluted enough that most of us will just skim it and move on (ie, thinking the sed is doing a line ending conversion).

Hiding in plain sight.