Gordon Messmer wrote:
Purely as trivia, and as I haven't seen it discussed elsewhere, the malware steals a different set of symbols on Fedora, where RSA_public_decrypt doesn't seem to appear in the GOT at all.
This proves again that this is a very targeted attack that carefully analyzed the individual targeted distributions, the distributions whose packaging tools the build script attempts to detect were not just picked because they are known to link OpenSSH to liblzma, but also individually tested and targeted.
Kevin Kofler