UEFI bootkit "Bootkitty" for Linux is a university project from South Korea

Contents

A recently surfaced Linux bootkit, which nests in the UEFI (Unified Extensible Firmware Interface) and is intended to bypass its security measures, is apparently a project by South Korean scientists. It came to public attention last week through several analyses, but has been circulating on malware analysis platform VirusTotal since the beginning of November. It is not usable malware, but rather a "proof of concept".

At the beginning of November, employees of the security company ESET found a copy of a new type of malware on VirusTotal. A few weeks later, members of a rootkit research community stumbled across almost identical files. Among other things, they found a file called bootkit.efi and parts of a Linux rootkit on an open web server. The community members analyzed the rootkit and found rudimentary functions for executing their own shellcode. They only looked at the bootkit file superficially, however, and also largely ignored two BMP image files.

The experts from ESET, on the other hand, took a particularly thorough look at the bootkit.efi file. According to their analysis, the experimental Linux malware hooks into the boot process and modifies the original Grub boot loader, the kernel's EFI loading mechanism and the kernel itself. Since fixed addresses are built into the Bootkitty code, the manipulation only works on a few kernel and Grub versions. The analyzed version of the bootkit can only be used under certain Ubuntu versions. In addition, the bootkit cannot install itself in the system, but must ask the user for permission, the ESET researchers stated.

Trojan BMPferd

A third analysis by Binarly contradicts this. The discoverers of the "LogoFail" vulnerability became suspicious when they found two image files of different sizes in BMP format – one of which was over 16 MB in size and was suspiciously named logofail.BMP. And indeed, when loaded into a disassembler, the image revealed its secret cargo: shellcode that uses the LogoFail exploit to subvert the UEFI with its own certificate for code signing and thus undermines the "secure boot" process.

Bootkitty is picky

Not all devices and UEFI modules are susceptible to the multi-stage attack. According to the Binarly researchers, these include devices from Acer, Lenovo, HP, and Fujitsu. Patches for the LogoFail vulnerability, such as those released by firmware manufacturer Insyde Software, also stop the Bootkitty rootkit; unpatched devices may be vulnerable. According to the Binarly experts, this can only be found out by trial and error. The rootkit authors had hidden an image file and assembler code tailored to Lenovo devices in their malicious code.

Nevertheless, the authors' achievement is remarkable: for the first time, they have built a rootkit that can hook into the specially secured UEFI boot process and infect a Linux system. Previous UEFI bootkits had focused on Windows computers.

Research project from South Korea

The question of whether professional criminals, such as ransomware gangs, have developed the bootkit as the next generation of their malware has also been clarified. heise security spoke to one of the developers, who confirmed to us that he is South Korean. The team of authors is part of a training program called "Best of the Best" (BoB) of a South Korean IT institute called KITRI (Korea Information Technology Research Institute). Even in one of the earliest analyses, names in the disassembled source files indicated a Korean origin.

For users and administrators, this means the all-clear for the time being. BootKitty is not a new type of malware for cybercrime use, but a student semester project. Nevertheless, copycats from dark corners are unlikely to be long in coming.

(cku)