First UEFI boot kit malware for Linux detected, so users beware

ESET researchers reveal ‘Bootkitty’, first-of-its-kind UEFI boot kit for Linux
Bootkitty appears to be in early stages of development, but could pose a big risk
Linux users warned to be careful of possible attacks

UEFI boot kits reportedly available LinuxESET researchers warned after spotting a first-of-its-kind Linux UEFI boot kit that appeared to be an experimental version or a version in early development stages.

UEFI boot kits are complicated malware targeting the Unified Extensible Firmware Interface (UEFI), which is responsible for booting operating system and initialization of hardware. These boot kits pose low risk of firmware; This means that reinstalling the operating system or even replacing the hard drive does not eliminate the presence of malware. Equal antivirus programs have difficulty detecting them.

Often used to launch spying, surveillance, or other malicious payloads, it allows attackers to control the system from its initial boot stages. UEFI boot kits that root themselves so deeply into a system are often very difficult to detect or remove.

bootkitty

The variant ESET researchers found is called ‘Bootkitty’ and, given its status, features and operational level, they believe it is still in the early development stages.

Bootkitty relies on a self-signed certificate; This means it will not run on systems with Secure Boot; so it can only target some Ubuntu distributions.

Additionally, using hard-coded byte patterns and not using the best patterns spanning multiple kernels or GRUB versions means the boot kit cannot be widely distributed. Finally, Bootkitty comes with many unused functions and has no kernel version checks, which often causes system crashes.

In any case, this finding marks an important period in the development of UEFI boot kits and their disruptive potential.

While all evidence points to a piece of malware that can hardly do any meaningful harm, the fact remains that boot kits are making their way to Linux. Since there are so many devices supported by the operating system, the attack surface is absolutely huge.

through BleepingComputer

Related Posts