Endpoint Security

Just Like Windows: Linux Targeted by First-Ever UEFI Bootkit - UPDATED

Linux-Targeting Bootkitty Appears More Proof-of-Concept Than Threat, Researchers Say
Just Like Windows: Linux Targeted by First-Ever UEFI Bootkit - UPDATED
Bad kitty: Bootkitty malware, found in the wild, stands as the first-ever known bootkit to target Linux. (Image: Shutterstock)

Update Dec. 2, 2024 18:13 UTC: Eset now reports that the Linux bootkit "seems to be part of a project created by cybersecurity students participating in Korea's Best of the Best (BoB) training program." Students emailed Eset to state that a few bootkit samples accidentally made their way online before a planned conference presentation.

See Also: Real-World Strategies for Securing Remote Workforces and Data

"This supports our belief that it was an initial proof of concept rather than production-ready malware used by real threat actors. Nonetheless, the blog post remains accurate - it is a functional bootkit with limited support and represents the first UEFI bootkit proof of concept for Linux OS," Eset wrote.

The original article follows:

Cybersecurity researchers have discovered the first-ever bootkit designed to target Linux systems and subvert their boot process for malicious purposes.

The Unified Extensible Firmware Interface malware exists as an in-the-wild application named bootkit.efi, which its creators named "Bootkitty."

Researchers at cybersecurity firm Eset first analyzed the UEFI bootkit earlier this month after someone uploaded it to VirusTotal on Nov. 5.

"The bootkit is an advanced rootkit that is capable of replacing the boot loader and patching the kernel ahead of its execution," the Eset researchers said in a blog post. "Bootkitty allows the attacker to take full control over the affected machine, as it co-opts the machine's booting process and executes malware before the operating system has even started."

Bootkitty uses a self-signed certificate and only runs if attackers have already compromised the system and installed their own certificate to bypass Secure Boot protections, they said.

The researchers also "discovered a possibly related kernel module" - BCDropper, which appears to have been designed by the same developer and is built to load a separate kernel module, which could be intended to execute additional malicious functionality.

Bootkitty's discovery is notable in part because no bootkit has ever been known to target Linux. Rather, all known in-the-wild bootkits have only ever targeted Windows (see: Critical UEFI Flaw in Phoenix Firmware Hits Major PC Brands).

Major milestones in those efforts date from 2012, when researcher Andrea Allievi described the first-ever proof-of-concept Windows bootkit. Years of additional research followed, and so did the first-ever malicious bootkits, including ESPecter in 2021 and BlackLotus in 2023, which could bypass UEFI Secure Boot (see: BlackLotus Malware Bypasses Secure Boot on Windows Machines).

Whether researchers might require years to advance Linux bootkits to a similar state remains to be seen.

On the upside, "Bootkitty contains many artifacts suggesting that this is more like a proof of concept than the work of an threat actor," said Martin Smolár, a security researcher at Eset.

Expect researchers - and no doubt attackers - to further refine the concept. "Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems since it can affect only a few Ubuntu versions, it emphasizes the necessity of being prepared for potential future threats," he said.

What can Linux users do to safeguard themselves from Linux-targeting bootkits? "To keep your Linux systems safe from such threats, make sure that UEFI Secure Boot is enabled, your system firmware, security software and OS are up-to-date, and so is your UEFI revocations list," Smolár said.

With reporting from Information Security Media Group's Mathew Schwartz in Scotland.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.asia, you agree to our use of cookies.