Researchers uncover “Bootkitty,” the primary UEFI bootkit for Linux

In a nutshell: A serendipitous discovery led to a brand new warning of threats in opposition to Linux. The open-source platform is changing into an more and more tasty goal for cyber-criminals, and malware writers at the moment are trying to get to the bottom ranges of the kernel as they have already got on Home windows.

“Bootkitty” is a brand new and regarding malware that targets Linux programs. Eset analysts not too long ago found the bootkit in a beforehand unknown UEFI software (bootkit.efi) that somebody uploaded to VirusTotal. Whereas not but full, Bootkitty is described as the primary UEFI bootkit for Linux that researchers have discovered.

Bootkits like BlackLotus are a selected sort of malware designed to contaminate the startup section of the working system. They conceal their presence and primarily receive complete management of the OS and consumer purposes by changing, compromising, or considerably altering the unique boot loader or boot course of.

The European researchers confirmed that Bootkitty targets Linux, though it solely works in opposition to particular Ubuntu distros. The pattern uploaded on VirusTotal makes use of a self-signed safety certificates, which suggests it is not going to run on UEFI programs protected by the controversial Safe Boot characteristic. Nevertheless, there may be nothing to cease decided hackers from refining the malware.

Bootkitty contains particular routines to subvert many capabilities within the UEFI firmware, the Linux kernel, and the GRUB boot loader. Bootkitty can theoretically boot the Linux kernel “seamlessly,” even with Safe Boot activated, after which it injects itself into program processes upon system launch.

Nevertheless, Bootkitty does not work as supposed regardless of its obvious complexity. Eset stated that the bootkit incorporates many artifacts and tough options, which suggests the malware authors are nonetheless engaged on its code. The researchers additionally found a presumably associated kernel module named BCDropper, designed to deploy ELF (Linux) packages helpful for loading extra kernel modules.

Though it’s nonetheless in its proof-of-concept stage, Bootkitty is an attention-grabbing improvement within the UEFI risk panorama. Bootkits and UEFI rootkits have historically focused solely Home windows programs, however Linux platforms at the moment are widespread sufficient to turn out to be an attractive goal. The safety group ought to put together for future threats, Eset warns.