The discovery of the first UEFI bootkit designed for Linux systems, referred to as Bootkitty by its creators, has raised concerns among cybersecurity experts. ESET Research, the team behind the discovery, believes that this bootkit is likely a proof of concept and has not been deployed in the wild as of yet.
Bootkitty’s main objective is to disable the kernel’s signature verification feature and preload two unknown ELF binaries via the Linux “init” process during system startup. This previously unidentified UEFI application, named “bootkit.efi,” was uploaded to VirusTotal and is signed by a self-signed certificate, making it unable to run on systems with UEFI Secure Boot enabled by default. However, Bootkitty is designed to seamlessly boot the Linux kernel by patching the necessary functions responsible for integrity verification in memory, regardless of UEFI Secure Boot settings.
This advanced rootkit has the capability to replace the boot loader and patch the kernel before execution, allowing attackers to take full control over the affected machine. By co-opting the booting process and executing malware before the operating system starts, Bootkitty poses a significant threat to Linux systems.
During their analysis, ESET researchers discovered a related unsigned kernel module named BCDropper, which hints at a possible connection to the creators of Bootkitty. BCDropper deploys an ELF binary responsible for loading another unknown kernel module, adding to the complexity of the threat posed by these malicious tools.
While the current version of Bootkitty may not pose a significant threat to most Linux systems, it serves as a stark reminder of the importance of maintaining system security measures. ESET researcher Martin Smolár emphasizes the necessity of enabling UEFI Secure Boot, keeping system firmware, security software, and the operating system up to date, and regularly updating the UEFI revocations list to defend against potential future threats.
In ESET’s testing environment, researchers observed that systems with Bootkitty present were marked as tainted, indicating the bootkit’s impact on the kernel. To check for the presence of the bootkit with UEFI Secure Boot enabled, researchers suggest attempting to load an unsigned dummy kernel module during runtime. If successful, the module will load, confirming the presence of the bootkit.
The evolution of the UEFI threat landscape, particularly the emergence of UEFI bootkits, has been a cause for concern in recent years. From initial proof of concepts to real-world discoveries, such as ESET’s uncovering of the ESPecter bootkit in 2021 and the BlackLotus UEFI bootkit in 2023, the threat to system security continues to evolve.
As cybersecurity threats become more sophisticated, it is essential for organizations and individuals to remain vigilant and adopt best practices to protect their systems from potential attacks. The discovery of the Bootkitty UEFI bootkit for Linux systems serves as a reminder of the ever-present need for robust cybersecurity measures in an increasingly digital world.