The World's First Unkillable UEFI Bootkit For Linux (arstechnica.com) 29
An anonymous reader quotes a report from Ars Technica: Over the past decade, a new class of infections has threatened Windows users. By infecting the firmware that runs immediately before the operating system loads, these UEFI bootkits continue to run even when the hard drive is replaced or reformatted. Now the same type of chip-dwelling malware has been found in the wild for backdooring Linux machines. Researchers at security firm ESET said Wednesday that Bootkitty -- the name unknown threat actors gave to their Linux bootkit -- was uploaded to VirusTotal earlier this month. Compared to its Windows cousins, Bootkitty is still relatively rudimentary, containing imperfections in key under-the-hood functionality and lacking the means to infect all Linux distributions other than Ubuntu. That has led the company researchers to suspect the new bootkit is likely a proof-of-concept release. To date, ESET has found no evidence of actual infections in the wild.
Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines. "Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," ESET researchers wrote. "Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats." [...] As ESET notes, the discovery is nonetheless significant because it demonstrates someone -- most likely a malicious threat actor -- is pouring resources and considerable know-how into creating working UEFI bootkits for Linux. Currently, there are few simple ways for people to check the integrity of the UEFI running on either Windows or Linux devices. The demand for these sorts of defenses will likely grow in the coming years.
Still, Bootkitty suggests threat actors may be actively developing a Linux version of the same sort of unkillable bootkit that previously was found only targeting Windows machines. "Whether a proof of concept or not, Bootkitty marks an interesting move forward in the UEFI threat landscape, breaking the belief about modern UEFI bootkits being Windows-exclusive threats," ESET researchers wrote. "Even though the current version from VirusTotal does not, at the moment, represent a real threat to the majority of Linux systems, it emphasizes the necessity of being prepared for potential future threats." [...] As ESET notes, the discovery is nonetheless significant because it demonstrates someone -- most likely a malicious threat actor -- is pouring resources and considerable know-how into creating working UEFI bootkits for Linux. Currently, there are few simple ways for people to check the integrity of the UEFI running on either Windows or Linux devices. The demand for these sorts of defenses will likely grow in the coming years.
Imagine a Beowulf Cluster... (Score:1)
Re: Imagine a Beowulf Cluster... (Score:2)
Imagine having unstoppable diarrh.... Eh, nevermind.
Re: Imagine a Beowulf Cluster... (Score:2)
Imagine a cloud data center infected by this - attacking all the other data centers.
article doesn't support summary (Score:5, Informative)
Summary claims firmware is infected.
Article claims GRUB and kernel are infected.
Re: (Score:3)
Yeah, looking like they all make use of the UEFI formalised storage(partition) on the HDD/SSD. So the idea of it being in the firmware is plain wrong.
Re:article doesn't support summary (Score:5, Insightful)
I would still prefer a 1989-style BIOS flash jumper, though.
Please let me pay $10 more for a $0.04 jumper. I don't even care if it's dangerous by default to keep the support calls down.
Re: (Score:3)
>"I would still prefer a 1989-style BIOS flash jumper, though."
THIS. I was going to say the same thing. Why can't we have some PHYSICAL barrier to messing with important stuff!?! Doesn't even have to be a jumper- how about holding the reset button why pressing power on?
Re:article doesn't support summary (Score:5, Interesting)
That only worked because the BIOS chip was a ROM chip that had separate address, data and control lines. To write to them you needed to actually control the write enable line. The jumper made it such that it was not possible to write to the chip because it would physically disconnect the line.
These days, the BIOS is within a LPC (low pin count) interface, which is a bidirectional interface. There is no write enable line you can control - if you did it on the interface, it would disable it from working. It's just a high speed serial interface used to talk to many low speed peripherals without consuming many pins. There is no way you can physically disconnect the ability to write to the chip because you need to write to it in order to read from it.
Re: article doesn't support summary (Score:2)
The interface doesn't prevent the possibility of having a write enable pin on the chip for the firmware.
Re: (Score:2)
Yes. This. Or maybe a mode like modern PCs where you put the BIOS update on a USB flash drive, stick it in a slot, power the machine down, hold down a button on the back, so the motherboard processor (not the CPU) fetches the BIOS update and applies it, all offline. Something that takes direct user action.
For company owned PCs, have it signed by whatever MDM is managing them.
This should be a solved problem, as exactly the parent mentioned. People knew that rogue BIOS flashing was a thing decades ago, an
Re: (Score:2)
Why take such lame half measures? Socketed EPROMs eliminate issues with flash updates altogether.
Re: (Score:2)
I would still prefer a 1989-style BIOS flash jumper, though.
or EPROMS. If only we knew now what we knew then.
Wait what? (Score:2)
Additionally, the inability to defeat Secure Boot limits infection opportunities to devices that (1) don’t enable the defense or (2) have already been compromised by the same attacker to install a self-signed cryptographic certificate.
Why would you install a signed bootloader shim only to also disable the very purpose of having a signed bootloader shim? Isn't the point of the signed GRUB shim to enable UEFI secure boot? *facepalm*
Re: Wait what? (Score:2)
Add to it that the key has to be known and if your installation media key isn't known by the uefi your option is to turn off secure boot unless you can install the key into the uefi.
Ventoy has an option where you can install an uefi key.
So the uefi might not be as secure as you think.
At Last! (Score:3)
Secure Boot protects from this (Score:2)
"The Bootkitty sample ESET found is unable to override a defense, known as UEFI Secure Boot"
So if an attacker gets root they can install anything into the EFI partition, and if secure boot is off, the computer will boot it? Whoop-de-doo... how is this anything new?
Re: (Score:2)
Currently, the malicious pre-grub patcher is stored on the ESP so it's as "simple" as using an external trusted host to scan the boot drive and erase it. The fact that it works on the kernel by just blinding overwriting certain offsets clearly says "this is a prototype." But if they can find a way to write it into the bios flash, that's Game O
Is MBR still an option for Windows? (Score:2)
Re: (Score:3)
Windows 10? Yes. Windows 11? No. People should be migrating off of 10 to something else anyway.
Re: (Score:2)
That's interesting, because it was possible. I did it in a VM by accident by not turning enough stuff on and turning off too many checks. When I later wanted to turn all the features on I had to convert my "disk" to the newer format.
Re: There used to be a write-protect jumper (Score:2)
I can't see that it's in any way related.
Win11 shouldn't need to write to the uefi firmware.
Know how I know your article is written by AI? (Score:2)
"To date, ESET has found no evidence of actual infections in the wild."
These contradictions are in the same paragraph. Not just the same article. No one edits their chatbot's work at Ars, apparently.
Re: (Score:2)
Is it possible they found the malware source or binary in the wild (hacker forums, dark web, etc.) but no actual infections have been found? I'm too lazy to re-read the article.
Re: Know how I know your article is written by AI? (Score:1)
Re: (Score:2)
That's nothing, /. editors don't even read the articles they steal.
Color me surprised (Score:2)
Putting an extensible mini operating system in the system firmware to use as a glorified boot loader? Color me surprised that it hasn't been exploited more often.
Seriously. the things that belong on my motherboard's Flash is simple. System board information, such as model number and layout. Default mappings of peripherals and slots on the bridge hierarchy. Some initialization for memory and bus training procedure. Trampolines for suspend and resume power states. Some boot loader code, like load some sectors