(Credit: Just_Super via Getty Images)
UPDATE 11/28: A student in South Korea claims BootyKitty is merely a research project that has no malicious motives behind it.
"We are students studying in South Korea. We don't know how this PoC (proof-of-concept) bootkit revealed to outside world, but we found that report has been written about our program," the student told PCMag in an email.
"It was just our project about bootkit and secure boot," the student added. "As you can see its really unsecure, poor and simple. definitely not for attack purpose."
The study also says that BootKitty was developed at South Korea's "Best of the Best" program, which focuses on fostering next generation security talent in the country.
ESET has also received an email from the same student and plans on reaching out.
Original story:
Security researchers have uncovered rare malware that can infect a Linux machine’s boot process, making it harder to detect and remove.
The malware is known as a bootkit, which is designed to infect a computer’s boot process before it loads the operating system. In recent years, security researchers have discovered bootkits targeting the Windows OS through the Unified Extensible Firmware Interface (UEFI), which is used to start up a PC.
But on Wednesday, antivirus provider ESET said it had found a bootkit developed for Linux Ubuntu machines. The attack, dubbed “Bootkitty,” has been programmed to disable a security feature in Linux that ensures the software hasn’t been tampered with. It’ll then try to preload two unknown executables during the system startup process.
“Bootkitty allows the attacker to take full control over the affected machine, as it co-opts the machine’s booting process and executes malware before the operating system has even started,” ESET added.
The company discovered Bootkitty after someone—possibly the creator—uploaded a mysterious file this month to VirusTotal, an online service that uses dozens of antivirus engines to scan files for malware.
The good news is that Bootkitty appears to be a proof-of-concept rather than a fully developed attack that can be successfully used against real Linux machines. For example, Bootkitty can’t run on a Linux machine with the UEFI Secure Boot enabled by default since the malware uses a self-signed software certificate from its creator rather than a trusted signing authority.
In addition, Bootkitty can only fully function on a limited number of Linux configurations. ESET also hasn’t uncovered any evidence showing Bootkitty infecting Linux machines.
“That said, its existence underscores an important message: UEFI bootkits are no longer confined to Windows systems alone,” the antivirus provider added.
It's unclear how an attacker might circulate the bootkit. But ESET noted that "reinstalling an OS would effectively remove the Bootkitty bootkit from the system." ESET security researcher Martin Smolár also notes: “To keep your Linux systems safe from such threats, make sure that UEFI Secure Boot is enabled, your system firmware, security software, and OS are up-to-date, and so is your UEFI revocations list.”