Over the past decade, a brand new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits proceed to run even when the harddrive is replaced or reformatted. Now the identical sort of chip-dwelling malware has been present in the wild for backdooring Linux machines.
Researchers at security firm ESET said Wednesday that Bootkitty—the name unknown threat actors gave to their Linux bootkit—was uploaded to VirusTotal earlier this month. In comparison with its Windows cousins, Bootkitty continues to be relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to contaminate all Linux distributions apart from Ubuntu. That has led the corporate researchers to suspect the brand new bootkit is probably going a proof-of-concept release. Up to now, ESET has found no evidence of actual infections within the wild.
Be prepared
Still, Bootkitty suggests threat actors could also be actively developing a Linux version of the identical type of unkillable bootkit that previously was found only targeting Windows machines.
“Whether a proof of concept or not, Bootkitty marks an interesting move forward within the UEFI threat landscape, breaking the assumption about modern UEFI bootkits being Windows-exclusive threats,” ESET researchers wrote. “Despite the fact that the present version from VirusTotal doesn’t, in the meanwhile, represent an actual threat to nearly all of Linux systems, it emphasizes the need of being prepared for potential future threats.”
A rootkit is a chunk of malware that runs within the deepest regions of the operating system it infects. It leverages this strategic position to cover details about its presence from the operating system itself. A bootkit, meanwhile, is malware that infects the boot-up process in much the identical way. Bootkits for the UEFI—short for Unified Extensible Firmware Interface—lurk within the chip-resident firmware that runs every time a machine boots. These forms of bootkits can persist indefinitely, providing a stealthy means for backdooring the operating system even before it has fully loaded and enabled security defenses akin to antivirus software.
The bar for installing a bootkit is high. An attacker first must gain administrative control of the targeted machine, either through physical access while it’s unlocked or one way or the other exploiting a critical vulnerability within the OS. Under those circumstances, attackers have already got the flexibility to put in OS-resident malware. Bootkits, nonetheless, are way more powerful since they (1) run before the OS does and (2) are, no less than practically speaking, undetectable and unremovable.