[treffer]

Well, I am skeptical about (2).

It is unclear what exploiting means. The backdoor is doing _something_ for 0.5s if RSA key exchange happens.

So even a valid login might trigger not yet known side effects. It might just tunnel commands over dns for example (DNS being a well known side effect of ssh anyway).

So "exploiting" might mean as little as "used ssh".

[puffybuf]

Presumably they wanted this backdoor hidden, so they wouldn't want it doing things that could expose it. I'm under the impression it simply modifies memory when sshd loads the xz library, adding its own hooks and just waiting for the proper login signal. I doubt it "phones home" as this could expose its existence, but we'll have to wait until it is analyzed thoroughly.