- ESET researchers uncover ‘Bootkitty’, a first-of-its-kind UEFI bootkit for Linux
- Bootkitty seems to be in early stages of development, but could pose a major risk
- Linux users warned to be on their guard against possible attacks
UEFI bootkits are reportedly making their way into Linux, researchers from ESET have warned, after spotting a first-of-its-kind Linux UEFI bootkit, which seems to either be an experimental version, or a version in early development stages.
UEFI bootkits are sophisticated malware targeting the Unified Extensible Firmware Interface (UEFI), which is responsible for booting an operating system and initializing hardware. These bootkits compromise the firmware at a low level, meaning that even reinstalling the operating system, or even replacing the hard drive, does not eliminate the malware’s presence. Even antivirus programs have difficulties spotting them.
They enable attackers to control the system from its earliest stages of boot, often used for espionage, surveillance, or launching other malicious payloads. By rooting themselves so deep into a system, UEFI bootkits are often very hard to detect or remove.
Bootkitty
The variant ESET’s researchers found is called ‘Bootkitty’, and given its state, features, and operational level, they believe that it is still in early development stages.
Bootkitty relies on a self-signed certificate, which means it won’t run on systems with Secure Boot – therefore, it can only target some Ubuntu distributions.
Furthermore, the use of hardcoded byte patterns and the fact that the best patterns for covering multiple kernel or GRUB versions were not used, means that the bootkit cannot be widely distributed. Finally, Bootkitty comes with many unused functions, and does not have kernel-version checks, which often results in system crashes.
In any case, the finding marks an important moment in the development and destructive potential of UEFI bootkits.
While all evidence points to a piece of malware that can hardly do any meaningful damage, the fact remains that bootkits made their way to Linux. And with so many devices being powered by the OS, the attack surface is absolutely massive.
Via BleepingComputer