The World's First Unkillable UEFI Bootkit For Linux (arstechnica.com) 17
An anonymous reader quotes a report from Ars Technica: Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines. Researchers at security firm ESET said Wednesday that Bootkitty -- the name unknown threat actors gave to their Linux bootkit -- was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.
Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines. "Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," ESET researchers wrote. "Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats." [...] As ESET notes, the discovery is nonetheless significant because it demonstrates someone -- most likely a malicious threat actor -- is pouring resources and considerable know-how into creating working UEFI bootkits for Linux. Currently, there are few simple ways for people to check the integrity of the UEFI running on either Windows or Linux devices. The demand for these sorts of defenses will likely grow in the coming years.
Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines. "Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," ESET researchers wrote. "Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats." [...] As ESET notes, the discovery is nonetheless significant because it demonstrates someone -- most likely a malicious threat actor -- is pouring resources and considerable know-how into creating working UEFI bootkits for Linux. Currently, there are few simple ways for people to check the integrity of the UEFI running on either Windows or Linux devices. The demand for these sorts of defenses will likely grow in the coming years.
Imagine a Beowulf Cluster... (Score:1)
Re: Imagine a Beowulf Cluster... (Score:2)
Imagine having unstoppable diarrh.... Eh, nevermind.
article doesn't support summary (Score:5, Informative)
Summary claims firmware is infected.
Article claims GRUB and kernel are infected.
Re: (Score:3)
Yeah, looking like they all make use of the UEFI formalised storage(partition) on the HDD/SSD. So the idea of it being in the firmware is plain wrong.
Re:article doesn't support summary (Score:4, Insightful)
I would still prefer a 1989-style BIOS flash jumper, though.
Please let me pay $10 more for a $0.04 jumper. I don't even care if it's dangerous by default to keep the support calls down.
Re: (Score:2)
>"I would still prefer a 1989-style BIOS flash jumper, though."
THIS. I was going to say the same thing. Why can't we have some PHYSICAL barrier to messing with important stuff!?! Doesn't even have to be a jumper- how about holding the reset button why pressing power on?
Re: (Score:2)
That only worked because the BIOS chip was a ROM chip that had separate address, data and control lines. To write to them you needed to actually control the write enable line. The jumper made it such that it was not possible to write to the chip because it would physically disconnect the line.
These days, the BIOS is within a
Wait what? (Score:2)
Additionally, the inability to defeat Secure Boot limits infection opportunities to devices that (1) don’t enable the defense or (2) have already been compromised by the same attacker to install a self-signed cryptographic certificate.
Why would you install a signed bootloader shim only to also disable the very purpose of having a signed bootloader shim? Isn't the point of the signed GRUB shim to enable UEFI secure boot? *facepalm*
At Last! (Score:2)
Secure Boot protects from this (Score:2)
"The Bootkitty sample ESET found is unable to override a defense, known as UEFI Secure Boot"
So if an attacker gets root they can install anything into the EFI partition, and if secure boot is off, the computer will boot it? Whoop-de-doo... how is this anything new?
Re: (Score:2)
Currently, the malicious pre-grub patcher is stored on the ESP so it's as "simple" as using an external trusted host to scan the boot drive and erase it. The fact that it works on the kernel by just blinding overwriting certain offsets clearly says "this is a prototype." But if they can find a way to write it into the bios flash, that's Game O
Is MBR still an option for Windows? (Score:2)
Re: (Score:3)
Windows 10? Yes. Windows 11? No. People should be migrating off of 10 to something else anyway.
Re: (Score:2)
That's interesting, because it was possible. I did it in a VM by accident by not turning enough stuff on and turning off too many checks. When I later wanted to turn all the features on I had to convert my "disk" to the newer format.
Know how I know your article is written by AI? (Score:2)
"To date, ESET has found no evidence of actual infections in the wild."
These contradictions are in the same paragraph. Not just the same article. No one edits their chatbot's work at Ars, apparently.