Researchers discover first UEFI bootkit malware for Linux
- Inicie sesión o regístrese para enviar comentarios
November 27th, 2024
The first UEFI bootkit specifically targeting Linux systems has been discovered, marking a shift in stealthy and hard-to-remove bootkit threats that previously focused on Windows. Upon analysis, ESET confirmed that this was the first case of a Linux UEFI bootkit to bypass kernel signature verification and preload malicious components during the system boot process.
Named 'Bootkitty,' the Linux malware is a proof-of-concept that works only on some Ubuntu versions and configurations rather than a fully fledged threat deployed in actual attacks. Bootkitty relies on a self-signed certificate, so it won't execute on systems with Secure Boot enabled and only targets certain Ubuntu distributions. Additionally, hardcoded offsets and simplistic byte-pattern matching make it only usable on specific GRUB and kernel versions, so it's unsuitable for widespread deployment. ESET also notes that the malware contains many unused functions and handles kernel-version compatibility poorly, often leading to system crashes. The malware's buggy nature and the fact that ESET's telemetry shows no signs of Bootkitty on live systems led the researchers to conclude that it is in early-stage development.
Read More below:
https://www.bleepingcomputer.com/news/security/researchers-discover-bootkitty-first-uefi-bootkit-malware-for-linux/
I see that Bootkitty runs during boot, but how is it installed in the first place? Could malware running as root in the context of Trisquel or Ubuntu modify the UEFI firmware? How does Secure Boot prevent this? It would seem like Secure Boot wouldn't help if normal programs can modify the settings (e.g. to disable Secure Boot) or the firmware itself (e.g. to install a firmware that does not enforce Secure Boot), but clearly I'm misunderstanding something.
As far as I know Trisquel does not support Secure Boot. But maybe it would be more accurate to say it's missing documentation about how to use Trisquel with Secure Boot.