Researchers discover "Bootkitty," the first UEFI bootkit for Linux

A

Alfonso Maruccia

Posts: 1,470   +438
Staff
In a nutshell: A serendipitous discovery led to a new warning of threats against Linux. The open-source platform is becoming an increasingly tasty target for cyber-criminals, and malware writers are now looking to get to the lowest levels of the kernel as they already have on Windows.

"Bootkitty" is a new and concerning malware that targets Linux systems. Eset analysts recently discovered the bootkit in a previously unknown UEFI application (bootkit.efi) that someone uploaded to VirusTotal. While not yet complete, Bootkitty is described as the first UEFI bootkit for Linux that researchers have found.

Bootkits like BlackLotus are a particular kind of malware designed to infect the startup phase of the operating system. They conceal their presence and essentially obtain total control of the OS and user applications by replacing, compromising, or significantly changing the original boot loader or boot process.

The European researchers confirmed that Bootkitty targets Linux, although it only works against specific Ubuntu distros. The sample uploaded on VirusTotal uses a self-signed security certificate, which means it will not run on UEFI systems protected by the controversial Secure Boot feature. However, there is nothing to stop determined hackers from refining the malware.

Bootkitty includes specific routines to subvert many functions in the UEFI firmware, the Linux kernel, and the GRUB boot loader. Bootkitty can theoretically boot the Linux kernel "seamlessly," even with Secure Boot activated, after which it injects itself into program processes upon system launch.

However, Bootkitty doesn't work as intended despite its apparent complexity. Eset said that the bootkit contains many artifacts and rough features, which suggests the malware authors are still working on its code. The researchers also discovered a possibly related kernel module named BCDropper, designed to deploy ELF (Linux) programs useful for loading additional kernel modules.

Even though it is still in its proof-of-concept stage, Bootkitty is an interesting development in the UEFI threat landscape. Bootkits and UEFI rootkits have traditionally targeted only Windows systems, but Linux platforms are now widespread enough to become an enticing target. The security community should prepare for future threats, Eset warns.

Permalink to story:

Researchers discover "Bootkitty," the first UEFI bootkit for Linux

 
yRaz said:
There is a reason enterprise machines still use a BIOS
Click to expand...
Servers have been UEFI way before home machines were, and it’s been their default boot environment for a long time now.

What enterprise machines do you know that don’t use UEFI today? Genuinely curious.
 
Burty117 said:
Servers have been UEFI way before home machines were, and it’s been their default boot environment for a long time now.

What enterprise machines do you know that don’t use UEFI today? Genuinely curious.
Click to expand...
So I might have a bit of bias, but I like to buy old server hardware for my homelab and all of them have had what I call a traditional bios. I do not work in the enterprise space. Much of my stuff is from 2018-2020 so maybe I'm interacting with legacy support.

That said, I still feel the UEFI is unnecessary in it's own way. Most of my stuff is Xeon hardware so I'm going to ASSUME, that enterprise stuff is more BIOS than UEFI.

I don't have a problem with being wrong. If I am wrong I actually would like to be corrected on this. Maybe what I'm using is UEFI and just LOOKS like a bios.

I don't know if I'm right or wrong, but I also didn't invest in a homelab to be wrong so if I'm approaching the software incorrectly, I'd very much like to know.
 
yRaz said:
I don't have a problem with being wrong. If I am wrong I actually would like to be corrected on this. Maybe what I'm using is UEFI and just LOOKS like a bios.

I don't know if I'm right or wrong, but I also didn't invest in a homelab to be wrong so if I'm approaching the software incorrectly, I'd very much like to know.
Click to expand...
Exactly that, UEFI was introduced into servers (Dell, HP etc…) back in 2005-2006, you can boot into an Operating System using “legacy bios mode” but fundamentally it’s been UEFI for 20 years now on servers, on your home motherboards it’s been UEFI since Windows 10 launch, there were UEFI motherboards at Windows Vista and 7’s launch but it took a while for it to become the norm.

There’s certain features in Windows (mostly all security related) that simply don’t work when using a legacy bios mode. I don’t think windows 11 can even be booted in legacy bios mode.
 
  • Like
Reactions: yRaz
yRaz said:
I don't have a problem with being wrong. If I am wrong I actually would like to be corrected on this. Maybe what I'm using is UEFI and just LOOKS like a bios.
Click to expand...

That's almost certainly it.

For example, most system firmware written by Aptio is still modelled after the legacy BIOS interface (even today [1]), but almost anything Aptio has written since 2012 has been a UEFI [2]. Furthermore, they retain the conventional BIOS-like user interface even over a serial port (rather than a computer monitor) [3].

That they didn't bother to make it flashy and pretty when viewed on a monitor (I hate that) says nothing about what kind of firmware interface it provides.

[1] https://www.techguy.org/attachments/20220606_124349-jpg.297113/
[2] https://I.ytimg.com/vi/X8G_637DDfw/maxresdefault.jpg
[3] https://supportportal.juniper.net/s...f&feoid=00N3c000007wCjb&refid=0EMDp000002T0QX
 
  • Like
Reactions: yRaz
One can have UEFI without the flashy gamer-fied user interfaces that many enthusiast motherboards have these days. God, I wish there was a way to turn all that crap off and go back to a simple menu-driven interface like we had in the old days.
 
  • Like
Reactions: bwbeam
trparky said:
God, I wish there was a way to turn all that crap off and go back to a simple menu-driven interface like we had in the old days.
Click to expand...

Unfortunately, the only way to accomplish that these days, in my experience, is to access it via a serial port rather than a monitor. This requires a motherboard with a serial port, whether built into the I/O shield or as a header you can connect a port to, and requires the firmware to support it.

Most motherboards with serial ports on the I/O shield support accessing the firmware interface via serial, and then it doesn't matter how flashy the interface normally is because you're not using a GPU or monitor to look at it.
 
"only works against specific Ubuntu distros"
A well researched article would LIST those distros.

Is it only specific Ubuntu distros or specific Debian based distros??
 
You must log in or register to reply here.

Similar threads

Shawn Knight
Researchers show off AI-powered warning system for lithium-ion battery fires
Replies
3
Views
78
TooQik
T
zohaibahd
Researchers test groundbreaking boron ramjet for missiles that fly through the air and water
Replies
7
Views
101
TempleOrion
TempleOrion
zohaibahd
Astronomers capture first close-up of a dying star beyond our galaxy
Replies
5
Views
76
toooooot
T

Latest posts

Back