'Bootkitty' First Bootloader to Take Aim at Linux

Researchers have spotted what they believe is the first ever malware capable of infecting the boot process of Linux systems.

"Bootkitty" is proof-of-concept code that students in Korea developed for a cybersecurity training program they're involved in. Though still somewhat unfinished, the bootkit is fully functional and even includes an exploit for one of several so-called LogoFAIL vulnerabilities in the Unified Extensible Firmware Interface (UEFI) ecosystem that Binarly Research uncovered in November 2023.

A Novel Proof-of-Concept

Bootkits operate at the firmware level and execute before the operating system loads, allowing them to bypass the Secure Boot process for protecting systems from malware during startup. Such malware can persist through system reboots, operating system reinstallation, and even physical replacement of certain parts, like hard drives.

Researchers at ESET who analyzed Bootkitty after finding a sample on VirusTotal just last month described it as the first UEFI bootkit for Linux they have come across. That's significant because, until now, bootkits — the most notorious of which includes BlackLotus and FinSpy — have been Windows-specific.

"[Bootkitty's] main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)," ESET researchers Martin Smolar and Peter Strycek wrote.

Binarly, which also analyzed Bootkitty, found the malware to contain an exploit for CVE-2023-40238, one of several image parsing LogoFAIL vulnerabilities in UEFI that the company reported last year. The Bootkitty exploit leverages shellcode embedded within bitmap image (BMP) files to bypass Secure Boot and get the OS to trust the malware, Binarly said. The vendor identified Linux systems from multiple vendors as being vulnerable to the exploit, including those from Lenovo, Fujitsu, HP, and Acer.

"While this appears to be a proof-of-concept rather than an active threat, Bootkitty signals a major shift as attackers expand bootkit attacks beyond the Windows ecosystem," Binarly wrote. "The operating system bootloaders present a vast attack surface that is often overlooked by defenders, and the constant growth in complexity only makes it worse."

The UEFI — and prior to that the BIOS ecosystem — has been a popular target for attackers in recent years because of how malware operating at that level can remain virtually undetectable on compromised systems. But concerns over UEFI security really came to a head with the discovery of BlackLotus, the first malware to bypass Secure Boot protections even on fully patched Windows systems.

The malware took advantage of two vulnerabilities in the UEFI Secure Boot process, CVE-2022-2189, also known as Baton Drop, and CVE-2023-24932, to install itself in a virtually undetectable and unremovable manner. The relatively easy availability of the malware and Microsoft's struggles in addressing it, prompted a call from the US Cybersecurity and Infrastructure Security Agency (CISA) for improved UEFI protections.

"Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode," CISA noted at the time. "In particular, UEFI secure boot developers haven't all implemented public key infrastructure (PKI) practices that enable patch distribution."

Functional Bootkit

ESET found Bootkitty to contain capabilities for modifying, in memory, functions that normally verify the integrity of the GRand Unified Bootloader (GRUB), which is responsible for loading the Linux kernel during startup. However, the specific functions that Bootkitty attempts to modify in memory are supported only on a relatively small number of Linux devices, suggesting the malware is more proof of concept than an active threat. Bolstering that theory is the presence of several unused artifacts in the code, including two functions for printing ASCII art and text during execution, ESET said.

The Korean students who developed the bootkit informed ESET after the security vendor published its analysis. ESET quoted the students as saying they had created the malware in an effort to spread awareness about the potential for bootkits becoming available for Linux systems. Details of the malware were only supposed to have become available as part of a future conference presentation. However, a few samples of the bootkit ended up being uploaded to VirusTotal, they noted.