Linux-Targeting Bootkitty Appears More Proof-of-Concept Than Threat, Researchers Say
Cybersecurity researchers have discovered the first-ever bootkit designed to target Linux systems and subvert their boot process for malicious purposes.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
The Unified Extensible Firmware Interface malware exists as an in-the-wild application named bootkit.efi
, which its creators named “Bootkitty.”
Researchers at cybersecurity firm Eset first analyzed the UEFI bootkit earlier this month after someone uploaded it to VirusTotal on Nov. 5.
“The bootkit is an advanced rootkit that is capable of replacing the boot loader and patching the kernel ahead of its execution,” the Eset researchers said in a blog post. “Bootkitty allows the attacker to take full control over the affected machine, as it co-opts the machine’s booting process and executes malware before the operating system has even started.”
Bootkitty uses a self-signed certificate and only runs if attackers have already compromised the system and installed their own certificate to bypass Secure Boot protections, they said.
The researchers also “discovered a possibly related kernel module” – BCDropper, which appears to have been designed by the same developer and is built to load a separate kernel module, which could be intended to execute additional malicious functionality.
Bootkitty’s discovery is notable in part because no bootkit has ever been known to target Linux. Rather, all known in-the-wild bootkits have only ever targeted Windows (see: Critical UEFI Flaw in Phoenix Firmware Hits Major PC Brands).
Major milestones in those efforts date from 2012, when researcher Andrea Allievi described the first-ever proof-of-concept Windows bootkit. Years of additional research followed, and so did the first-ever malicious bootkits, including ESPecter in 2021 and BlackLotus in 2023, which could bypass UEFI Secure Boot (see: BlackLotus Malware Bypasses Secure Boot on Windows Machines).
Whether researchers might require years to advance Linux bootkits to a similar state remains to be seen.
On the upside, “Bootkitty contains many artifacts suggesting that this is more like a proof of concept than the work of an threat actor,” said Martin Smolár, a security researcher at Eset.
Expect researchers – and no doubt attackers – to further refine the concept. “Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems since it can affect only a few Ubuntu versions, it emphasizes the necessity of being prepared for potential future threats,” he said.
What can Linux users do to safeguard themselves from Linux-targeting bootkits? “To keep your Linux systems safe from such threats, make sure that UEFI Secure Boot is enabled, your system firmware, security software and OS are up-to-date, and so is your UEFI revocations list,” Smolár said.
With reporting from Information Security Media Group’s Mathew Schwartz in Scotland.