12-02-2024, 10:22 PM
Used to be that Linux users had a kind of inflated sense of security about bootkits since up until now, it was a threat only to windows systems...
That time has ended... welcome to "Bootkitty" (someone has poured resources and effort into crating a bootkit for UNIX systems...)
![[Image: bootkitty-ascii-logo.png]](https://cdn.arstechnica.net/wp-content/uploads/2024/11/bootkitty-ascii-logo.png)
From ArsTechnica: Found on VirusTotal: The world’s first UEFI bootkit for Linux
Researchers at security firm ESET said Wednesday that they found the first UEFI bootkit for Linux. The discovery may portend that UEFI bootkits that have targeted Windows systems in recent years may soon target Linux too.
Bootkitty—the name unknown threat actors gave to their Linux bootkit—was uploaded to VirusTotal earlier this month. Compared to many Windows UEFI bootkits, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu.
This malicious code is far from perfect, it leaves traces of itself behind.
Despite working on a handful of Ubuntu versions, Bootkitty contains flaws and limitations in crucial functionality required for it to run on a wider based on machines. One imperfection resides in the way the bootkit modifies the decompressed Linux kernel. As shown in the chunk of Bootkitty code displayed below, once the kernel image is decompressed, Bootkitty simply copies the malicious patches to the hardcoded offsets within the kernel image.
The result: “due to the lack of kernel-version checks in the function shown in [the figure above] Bootkitty can get to the point where it patches completely random code or data at these hardcoded offsets, thus crashing the system instead of compromising it,” ESET researchers explained.
Just thought I'd share the news.
That time has ended... welcome to "Bootkitty" (someone has poured resources and effort into crating a bootkit for UNIX systems...)
From ArsTechnica: Found on VirusTotal: The world’s first UEFI bootkit for Linux
Researchers at security firm ESET said Wednesday that they found the first UEFI bootkit for Linux. The discovery may portend that UEFI bootkits that have targeted Windows systems in recent years may soon target Linux too.
Bootkitty—the name unknown threat actors gave to their Linux bootkit—was uploaded to VirusTotal earlier this month. Compared to many Windows UEFI bootkits, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu.
This malicious code is far from perfect, it leaves traces of itself behind.
Despite working on a handful of Ubuntu versions, Bootkitty contains flaws and limitations in crucial functionality required for it to run on a wider based on machines. One imperfection resides in the way the bootkit modifies the decompressed Linux kernel. As shown in the chunk of Bootkitty code displayed below, once the kernel image is decompressed, Bootkitty simply copies the malicious patches to the hardcoded offsets within the kernel image.
The result: “due to the lack of kernel-version checks in the function shown in [the figure above] Bootkitty can get to the point where it patches completely random code or data at these hardcoded offsets, thus crashing the system instead of compromising it,” ESET researchers explained.
Just thought I'd share the news.
