The first UEFI bootkit malware for Linux has been detected, so users beware
- ESET researchers discover ‘Bootkitty’, a unique UEFI boot kit for Linux
- Bootkitty appears to be in the early stages of development, but could pose a major risk
- Linux users warned to be wary of possible attacks
UEFI bootkits are reportedly making their way to Linux, ESET researchers have warned, after discovering a first-of-its-kind Linux UEFI bootkit, which appears to be either an experimental version or one in early stages of development.
UEFI bootkits are advanced malware that targets the Unified Extensible Firmware Interface (UEFI), which is responsible for booting an operating system and initializing hardware. These bootkits compromise the firmware at a low level, meaning that even reinstalling the operating system or even replacing the hard drive will not eliminate the presence of the malware. Even antivirus programs have difficulty recognizing them.
They allow attackers to control the system from the earliest boot stages, often used for espionage, surveillance or launching other malicious payloads. Because they are so deeply ingrained in a system, UEFI bootkits are often very difficult to detect or remove.
Bootkitty
The variant that ESET researchers have found is called ‘Bootkitty’, and given its condition, features and operational level, they believe it is still in an early stage of development.
Bootkitty relies on a self-signed certificate, which means it won’t work on systems with Secure Boot – therefore it can only target certain Ubuntu distributions.
Furthermore, the use of hardcoded byte patterns and the fact that the best patterns for covering multiple kernel or GRUB versions were not used means that the bootkit cannot be widely distributed. Finally, Bootkitty comes with many unused features and no kernel version checks, which often results in system crashes.
Regardless, the finding marks an important moment in the development and destructive potential of UEFI boot kits.
While all evidence points to a piece of malware that can hardly do any significant damage, the fact remains that bootkits have made their way into Linux. And because so many devices are powered by the operating system, the attack surface is absolutely enormous.
Via BleepingComputer