The First Indelible UEFI Malware for Linux Systems Emerges, Security Firms on High Alert

Normally, security software on Windows PCs can detect and eliminate malware. To avoid elimination, some malware targets the UEFI (Unified Extensible Firmware Interface), ensuring its persistence even after the system is rebooted.

However, most UEFI-targeting malware has been designed for Windows PCs, with no instances targeting Linux systems' UEFI seen before now. This situation has now changed.

Security software developer ESET discovered BootKitty, a rootkit targeting Linux UEFI, while examining the suspicious file bootkit.efi uploaded to the VirusTotal scanning website in November 2024.

ESET's analysis confirmed that this is the first instance of a Linux UEFI bootkit bypassing kernel signature verification and loading malicious components during the system boot process. However, the developers of BootKitty are currently only in the testing phase.

Security firms have found that BootKitty only works on specific versions and configurations of Ubuntu, meaning it doesn't pose a threat to most Linux systems at the moment, but it's anticipated that hackers will continue to refine it.

Currently, BootKitty uses a self-signed certificate, so it cannot run on systems with Secure Boot enabled since the self-signature cannot pass validation. This could also be due to its development stage not being fully complete, as ESET found that the rootkit often causes Linux systems to crash during testing.

Although BootKitty is not currently impactful in the real world, its existence indicates that hackers are targeting Linux systems. This is a situation that the security industry needs to monitor closely. As time progresses, this type of rootkit tool may become more sophisticated and launch widespread attacks on Linux systems.