Proving Linux is not a safe sanctuary, ESET finds first Linux-targeting UEFI bootkit malware
Linux-based operating systems have long been heralded as being inherently more secure than Windows. Whether or not this is true is open to debate, as is the impact of user numbers on making an OS a target for malware writers.
A key security concern in recent times has been UEFI bootkits, and it has been something affecting only Windows-based systems. Now, however, security firm ESET has revealed details of Bootkitty, the first UEFI bootkit designed for Linux systems.
See also:
- Microsoft offers up strange solution for 0x80073CFA errors in Windows 10
- All social media platforms can learn from Instagram’s option to reset content recommendations
- European Commission says Bluesky is breaking European rules
UEFI bootkits are particularly worrying because they are both hard to detect and hard to remove. This is on top of the fact that this type of malware allows an attacker to control a system from the most basic level as the bootkit is active even before the operating system loads.
ESET discovered the Linux-targeting UEFI bootkit malware, dubbed Bootkitty, after spotting the previously unknown bootkit.efi UEFI application on VirusTotal. The emergence of this type of malware for Linux is very concerning, but ESET is not -- yet -- suggesting panic is necessary:
We believe this bootkit is merely an initial proof of concept, and based on our telemetry, it has not been deployed in the wild. That said, its existence underscores an important message: UEFI bootkits are no longer confined to Windows systems alone.
The bootkit’s main goal is to disable the kernel’s signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup). During our analysis, we discovered a possibly related unsigned kernel module -- with signs suggesting that it could have been developed by the same author(s) as the bootkit -- that deploys an ELF binary responsible for loading yet another kernel module unknown during our analysis.
Bootkitty targets a handful of Ubuntu distros and, reassuringly for now, it is “signed by a self-signed certificate, thus is not capable of running on systems with UEFI Secure Boot enabled unless the attackers certificates have been installed”.
But while the potential threat posed by Bootkitty is watered down by various such caveats, the malware still indicates a marked shift in the focus of attacks and the capabilities of malware in general.
ESET has a detailed analysis of the malware here.
Image credit: Funtap P / Dreamstime.com