First Linux UEFI Bootkit 'Bootkitty' Discovered Targeting Ubuntu
2024-11-28
Need some FUD? Learn about the emerging threat of Linux UEFI bootkits and how they highlight vulnerabilities in cloud environments.
The discovery of 'Bootkitty,' the first UEFI bootkit malware targeting Linux, marks a shift in bootkit threats that have traditionally focused on Windows. This proof-of-concept malware specifically affects certain Ubuntu versions, bypassing kernel signature verification during system boot using a self-signed certificate. Although Bootkitty is not yet a fully developed threat, it signifies an evolution in the UEFI bootkit space. The malware hooks UEFI security protocols to bypass Secure Boot and modifies GRUB functions to disable signature verification, allowing malicious modules to load. Despite its potential, Bootkitty's current implementation is limited by compatibility issues and remains unsuitable for widespread deployment.
Malware, Privilege Escalation, Open Source
UEFI bootkit, Linux malware, Bootkitty, Ubuntu security, ESET research, Secure Boot bypass
N/A
Ubuntu, GRUB, Linux kernel
The cybersecurity landscape has witnessed a significant development with the discovery of 'Bootkitty,' the first UEFI bootkit malware designed specifically for Linux systems. Historically, bootkits have predominantly targeted Windows platforms, making this a notable shift in threat focus. 'Bootkitty' is a proof-of-concept malware that targets specific Ubuntu Linux versions and configurations. While it is not a fully operational threat currently being deployed in real-world attacks, its existence signals an evolution in bootkit threats. Bootkits are known for their ability to evade detection by security tools operating at the operating system level, enabling them to modify system components or inject malicious code stealthily. ESET researchers discovered 'Bootkitty' after analyzing a suspicious file named During the boot process, Bootkitty hooks into UEFI security authentication protocols, specifically the Despite its capabilities, Bootkitty is currently limited by its lack of refinement. It contains many unused functions and has poor compatibility with different kernel versions, often leading to system crashes. Its reliance on specific GRUB and kernel versions further restricts its usability. The researchers noted that the same user who uploaded Bootkitty to VirusTotal also uploaded an unsigned kernel module named 'BCDropper.' Although evidence linking the two is weak, BCDropper drops an ELF file named 'BCObserver,' a kernel module with rootkit functionalities, such as hiding files, processes, and opening ports on the infected system.Discovery of 'Bootkitty': A New Linux UEFI Bootkit
What is Bootkitty?
How Bootkitty Operates
bootkit.efi uploaded to VirusTotal. This malware can bypass Linux's kernel signature verification, allowing it to preload malicious components during the system boot process. It employs a self-signed certificate, which means it cannot execute on systems with Secure Boot enabled. Additionally, it targets specific Ubuntu distributions, relying on hardcoded offsets and simple byte-pattern matching, making it unsuitable for broad deployment.Technical Details of Bootkitty
EFI_SECURITY2_ARCH_PROTOCOL and EFI_SECURITY_ARCH_PROTOCOL, to bypass Secure Boot's integrity checks. This ensures the bootkit loads regardless of security policies. The malware also manipulates GRUB functions, such as start_image and grub_verifiers_open, to turn off signature verification for binaries, including the Linux kernel. Furthermore, Bootkitty intercepts the kernel's decompression process and hooks the module_sig_check function, forcing it to always return success during module checks, allowing malicious modules to load.Potential Impact and Limitations
Additional Findings