New UEFI Bootkit Targets Linux Machines
Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines.
Discovery and Analysis
Researchers at security firm ESET said Wednesday that Bootkitty—the name unknown threat actors gave to their Linux bootkit—was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.
The Bootkitty ASCII Logo
Implications and Precautions
Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines.
“Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats,” ESET researchers wrote. “Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats.”
What is a Bootkit?
A rootkit is a piece of malware that runs in the deepest regions of the operating system it infects. It leverages this strategic position to hide information about its presence from the operating system itself. A bootkit, meanwhile, is malware that infects the UEFI—short for Unified Extensible Firmware Interface—in much the same way. By lurking undetected in the firmware that resides on a chip and runs each time a machine boots, bootkits can persist indefinitely, providing a stealthy means for backdooring the operating system even before it has fully loaded and enabled security defenses such as antivirus software.
How Bootkits Work
The bar for installing a bootkit is high. An attacker first must gain administrative control of the targeted machine, either through physical access while it’s unlocked or somehow exploiting a critical vulnerability in the OS. Under those circumstances, attackers already have the ability to install OS-resident malware. Bootkits, however, are much more powerful since they (1) run before the OS does and (2) are, at least practically speaking, undetectable and unremovable.
Conclusion
While the current version of Bootkitty may not pose a significant threat to most Linux systems, it is essential for users to remain vigilant and prepared for potential future threats. As the security landscape continues to evolve, it is crucial to stay informed about the latest developments in malware and to take steps to protect your systems from infection.
FAQs
Q: What is a UEFI bootkit?
A: A UEFI bootkit is malware that infects the firmware that runs immediately before the operating system loads.
Q: How do bootkits work?
A: Bootkits work by infecting the firmware that resides on a chip and runs each time a machine boots. This allows them to persist indefinitely, providing a stealthy means for backdooring the operating system.
Q: How do I protect my system from bootkits?
A: To protect your system from bootkits, it is essential to stay informed about the latest developments in malware and to take steps to secure your systems. This includes keeping your operating system and software up to date, using reputable antivirus software, and being cautious when downloading files from the internet.
Q: Is Bootkitty a real threat to my Linux system?
A: While Bootkitty is currently a proof-of-concept release and does not pose a significant threat to most Linux systems, it is essential to remain vigilant and prepared for potential future threats.
