back to article First-ever UEFI bootkit for Linux in the works, experts say

Security researchers say they've stumbled upon the first-ever UEFI bootkit targeting Linux, illustrating a key moment in the evolution of such tools. Dubbed "Bootkitty" by Slovak security shop ESET, the first sample of the bootkit was detected on malware encyclopedia VirusTotal earlier this month. The researchers, Martin …

  1. Will Godfrey Silver badge
    Facepalm

    What took them so long?

    I've been expecting this for decades. The only way out of it is a hardware switch, or ROM boot image.

    1. David 132 Silver badge

      Re: What took them so long?

      > ROM boot image

      Indeed. Getting infected by rootkits on my Sinclair Spectrum was laborious.

      LOAD “rootkit”

      (20 minutes of tape squawking)

      RUN

      D BREAK: CONT REPEATS

      (machine crashes)

      1. Will Godfrey Silver badge
        Pint

        Re: What took them so long?

        U made I larF

    2. doublelayer Silver badge

      Re: What took them so long?

      Depending on what that ROM image does, it could just move the bootkitable place up one level. While there is some desire to have software that can change running before the OS runs, it will be possible to make a malicious version of it.

    3. sedregj Bronze badge
      Linux

      Re: What took them so long?

      I have a HP laptop (on my lap) and a HP desktop at work. Both run Kubuntu. The work deskie is able to patch its BIOS automatically as part of the usual updates system (Discovery with local knowledge and knobs on).

      The laptop has been a bit of a pain. I have finally got it to work by copying the updates to my EFI partition in a particular layout and using "BIOS recovery" which basically seems to be designed to work regardless of the state of the BIOS.

      Secure Boot is enabled on both and I even run ESET on them, just like my Windows aficionado colleagues. That gets me through the Cyber Essentials Plus bollocks. Long gone are the days when a Lilo boot loader signified what really turned out to be ... security through obscurity!

      The wife's lappie is the same model as mine but she rocks Arch. Actually she uses it to connect to the internet, which is what she calls Facebook and email. I look after it and I will soon be signing the kernel and modules and switching it to Secure Boot (with mucho care).

      My other computer is a Commodore 64, with a USB interface and some odd ideas about memory handling!

  2. cyberdemon Silver badge
    Alert

    Oh Noes!!

    We're all Doomed! DOoOmeD!

    Need to run for the hills, batten down the hatches, and install secure boot keys that only er, Microsoft, controls the private keys for.

    Then we'll be totally secure!

  3. O'Reg Inalsin

    Is BIOS safe?

    I'm seeing this description of secure boot - When Secure Boot is enabled, the BIOS verifies the digital signature of the bootloader (like GRUB) and the Linux kernel before allowing them to execute, preventing malicious code from being loaded.

    Is BIOS itself then the weak link? I see some internet posts saying some linux setups can flash the BIOS while running.

    Is this a case of a chain being only as strong as its weakest link?

    1. Mike007 Silver badge

      Re: Is BIOS safe?

      Reflashing the BIOS isn't an issue with secure boot as when it reboots it will verify that image is signed by the correct key. This seems to be some method of loading the genuine kernel then modifying it after it has been verified. Which of course requires first loading a signed module containing said code... This is where the secure boot bit comes in.

      The problem with the part in the article where it says "The bootkit is a self-signed certificate so in order to run on Secure Boot-protected systems, the system would already have to have the attackers' certificates installed." is the way Linux typically handles singing modules. If you want to install updates then you will need to generate your own key and enroll that, then the private key needs to be accessible to the system when installing kernel updates. This means if your system is compromised then they have access to your keys... However in that case I don't really see why this technique helps them when they can just sign a kernel module.

  4. johnrobyclayton

    An open source unkillable Bootkit

    An open source Bootkit for Linux is great news.

    We get to install our own and take further control over our machines.

    I assume these bootkits allow the controllers to update them and secure them from unauthorised removal.

    It is just another stage in rolling and installing your own OS.

    Mount your new boot disk.

    Create your filesystem

    Copy in the compiled kernel and and required libraries and utilities including a bootloader.

    Write your MBR.

    Write your UEFI that is resistant to attempts to remove it.

    Boot your system

    See, just another step.

    And now no need to be bothered by those pesky gatekeeper companies like Microsoft that need to sign the software that you want to install on your computer.

    1. ThatOne Silver badge
      Unhappy

      Re: An open source unkillable Bootkit

      Sorry, how is that better (for the average computer user) than just "install your OS of choice - get work done with it"?

      What I'm saying is, a computer is supposed to help me do my work. The more hoops I have to jump through, the less able I am to do my actual work, the one I'm paid for. The more I have to fool around with gatekeepers, and the guards of gatekeepers, and the watchdogs of said guards, the less useful a computer becomes for real work. It's just increased entropy.

      Of course if you are paid to mess about with all that stuff your perspective might be different, but it still isn't anything productive. Definitely not for the 99% of the population for whom using a computer is not an aim in itself.

      1. johnrobyclayton

        Re: An open source unkillable Bootkit

        I work in support.

        I deal with too many people that "Just want to get their work done" who know nothing of the tools they use on a daily basis.

        I do not have much sympathy for them.

        I know how my tools work and want to have as much control over them as possible to that I can use them as effectively as I can without relying on others to help me or let me do stuff.

        What is so hard about:

        Knowing enough about physics to understand how electromagnetic radiation propagates (physics)

        Knowing how twisted pair networking cable reduces electromagnetic interference (physical)

        Knowing how networking devices detect errors in the data received (datalink)

        Knowing how traffic moves through a network from source to destination (network)

        Knowing how the traffic in a network represents information on where it needs to go and how to get there without interfering with all the other traffic that is whizzing about (transport)

        Knowing how the traffic is split into all the separate information streams for all of the different instances of all the applications that you might be running (session)

        Knowing how the data represent information used by all of your various applications. (presentation)

        Knowing how each application uses the information it receives and transmits to do what it does (application)

        Before complaining about some issues experiences within a user interface and making like a Pacled saying "It is broken, Please make it go"

        1. ThatOne Silver badge

          Re: An open source unkillable Bootkit

          > What is so hard about: [knowing lots of things]

          Nonsense. You work in support, you're paid to know those tools. A doctor of medicine has spent enough time learning other tools and stuff you probably only have a very vague idea about. Said MD doesn't want to know "how twisted pair networking cable reduces electromagnetic interference", much like you probably don't know much about thyroid hormone activation (despite it being more important for your health than networking cables).

        2. Roopee Silver badge
          FAIL

          Re: An open source unkillable Bootkit

          Downvoted because you forgot it again (the sarcasm tag).

    2. Roopee Silver badge
      FAIL

      Re: An open source unkillable Bootkit

      You forgot the sarcasm tag...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like