A new class of infections has emerged in the Linux world, mirroring the notorious UEFI bootkits that target Windows machines. The malware, dubbed Bootkitty, infects firmware that runs before the operating system loads, allowing it to persist even after a hard drive replacement or format.
Researchers at ESET have detected Bootkitty on VirusTotal and believe it may be a proof-of-concept release, lacking key functionality to spread across all Linux distributions. However, this discovery suggests threat actors are developing a Linux version of the same type of unkillable bootkit that previously targeted Windows machines.
The emergence of Bootkitty highlights the growing concern about UEFI threats, shattering the notion that modern UEFI bootkits are exclusive to Windows. Although the current version poses no significant threat, it emphasizes the importance of being prepared for potential future attacks.
To understand the risks, a rootkit is a piece of malware that runs in the deepest regions of an operating system, hiding its presence from the OS itself. A bootkit, on the other hand, infects the boot-up process, lurking in firmware resident to UEFI systems. These persistent threats provide a stealthy means for backdooring the OS even before it’s fully loaded and enables security defenses.
Installing a bootkit requires gaining administrative control of a machine, either through physical access or exploiting critical vulnerabilities. Given this high bar, attackers already possess the ability to install OS-resident malware. However, bootkits are more powerful, running before the OS loads and being undetectable and unremovable.
Source: https://arstechnica.com/security/2024/11/found-in-the-wild-the-worlds-first-unkillable-uefi-bootkit-for-linux