{"id":36512,"date":"2024-12-01T00:02:07","date_gmt":"2024-11-30T23:02:07","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=36512"},"modified":"2024-12-02T16:01:10","modified_gmt":"2024-12-02T15:01:10","slug":"bootkitty-first-linux-uefi-bootkit","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/12\/01\/bootkitty-first-linux-uefi-bootkit\/","title":{"rendered":"Bootkitty: First Linux UEFI Bootkit"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 10px 0px 0px; display: inline; float: left;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/11\/Linux.jpg\" width=\"64\" height=\"76\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2024\/12\/01\/bootkitty-erstes-linux-uefi-boot-kit\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]ESET Research has discovered the first Linux UEFI boot kit and named it Bootkitty. This Linux UEFI boot kit was uploaded to Virustotal in early November 2024 and came to the attention of the security researchers.<\/p>\n<p><!--more--><\/p>\n<p>For Windows, UEFI boot kits that have already nested in the UEFI when the system is started have been known for some time. But now there is \"Bootkitty\", the Linux UEFI boot kit.<\/p>\n<p><a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/bootkitty-analyzing-first-uefi-bootkit-linux\/\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/i.postimg.cc\/tJ6w78z2\/image.png\" alt=\"Linux UEFI-Boot-Kit\" width=\"597\" height=\"380\" \/><\/a><\/p>\n<p>The Linux UEFI boot kit disables kernel signature verification and preloads two ELFs that were unknown to ESET security researchers when they first analyzed it, as they write in the tweet above. Details of this discovery can be found in the blog post <a href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/bootkitty-analyzing-first-uefi-bootkit-linux\/\" target=\"_blank\" rel=\"noopener\">Bootkitty: Analyzing the first UEFI bootkit for Linux<\/a>.<\/p>\n<p><strong>Addendum:<\/strong> Ist was a students project, as ESET Research has postet on 2. December 2024 on <a href=\"https:\/\/x.com\/ESETresearch\/status\/1863584623164276873\" target=\"_blank\" rel=\"noopener\">X<\/a>:<\/p>\n<blockquote>\n<div class=\"css-175oi2r\" data-testid=\"cellInnerDiv\">\n<div class=\"css-175oi2r r-j5o65s r-qklmqi r-1adg3ll r-1ny4l3l\">\n<div class=\"css-175oi2r\">\n<article class=\"css-175oi2r r-18u37iz r-1udh08x r-1c4vpko r-1c7gwzm r-1ny4l3l\" tabindex=\"-1\" role=\"article\" aria-labelledby=\"id__ob64ys6d0dp id__pa1a0qzlhxi id__knp0es662jp id__d8zrhii07km id__dmlzfikazw id__9q6hi73uwlj id__p4shu6j3jvd id__8rz57bs3zhd id__fwld2wvppac id__k7b0mxi0g2c id__sazeoinh12 id__wbvb0k6nv7 id__kqz2lzomth id__866tleeccm id__xa8zkhbf6x9 id__nj8vtqkl6j id__fsg9panrh0f id__ssvpnq0izk id__trrifotfiu\" data-testid=\"tweet\">\n<div class=\"css-175oi2r r-eqz5dr r-16y2uox r-1wbh5a2\">\n<div class=\"css-175oi2r r-16y2uox r-1wbh5a2 r-1ny4l3l\">\n<div class=\"css-175oi2r\">\n<div class=\"css-175oi2r\">\n<div class=\"css-175oi2r r-1s2bzr4\">\n<div id=\"id__sazeoinh12\" class=\"css-146c3p1 r-bcqeeo r-1ttztb7 r-qvutc0 r-37j5jr r-1inkyih r-16dba41 r-bnwqim r-135wba7\" dir=\"auto\" lang=\"en\" data-testid=\"tweetText\"><span class=\"css-1jxf684 r-bcqeeo r-1ttztb7 r-qvutc0 r-poiln3\">UPDATE: <\/span><span class=\"r-18u37iz\">#ESETresearch<\/span><span class=\"css-1jxf684 r-bcqeeo r-1ttztb7 r-qvutc0 r-poiln3\"> was contacted by one of the possible authors of the Bootkitty bootkit, claiming the bootkit is a part of project created by cybersecurity students participating in Korea's Best of the Best (BoB) training program. 1\/2<\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/article>\n<div class=\"css-175oi2r\" data-testid=\"inline_reply_offscreen\">\n<div class=\"css-175oi2r r-14lw9ot r-184en5c\">\n<div class=\"css-175oi2r\">\n<div class=\"css-175oi2r r-14lw9ot r-1h8ys4a r-1mmae3n\">\n<div class=\"css-175oi2r\">\n<div class=\"css-175oi2r\">\n<div class=\"css-175oi2r r-3pj75a\">\n<div class=\"css-175oi2r r-18u37iz r-184en5c\">\n<div class=\"css-175oi2r r-18kxxzh r-1wron08 r-onrtq4 r-1777fci\">\n<div class=\"css-175oi2r r-1adg3ll r-bztko3 r-13qz1uu\" data-testid=\"UserAvatar-Container-etguenni\">\n<div class=\"r-1p0dtai r-1pi2tsx r-1d2f490 r-u8s1d r-ipm5af r-13qz1uu\">\n<div class=\"css-175oi2r r-1adg3ll r-1pi2tsx r-13qz1uu r-45ll9u r-u8s1d r-1v2oles r-176fswd r-bztko3\">\n<div class=\"r-1p0dtai r-1pi2tsx r-1d2f490 r-u8s1d r-ipm5af r-13qz1uu\">\n<div class=\"css-175oi2r r-sdzlij r-1udh08x r-5f1w11 r-u8s1d r-8jfcpp\">\n<div class=\"css-175oi2r r-sdzlij r-1udh08x r-633pao r-45ll9u r-u8s1d r-1v2oles r-176fswd\">\n<div class=\"css-175oi2r r-1adg3ll r-1udh08x\">\n<div class=\"r-1p0dtai r-1pi2tsx r-1d2f490 r-u8s1d r-ipm5af r-13qz1uu\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"css-175oi2r\" data-testid=\"cellInnerDiv\">\n<div class=\"css-175oi2r r-j5o65s r-qklmqi r-1adg3ll r-1ny4l3l\">\n<div class=\"css-175oi2r\">\n<article class=\"css-175oi2r r-18u37iz r-1udh08x r-1c4vpko r-1c7gwzm r-o7ynqc r-6416eg r-1ny4l3l r-1loqt21\" tabindex=\"0\" role=\"article\" aria-labelledby=\"id__kxph5gcq8l id__ryu5jebi5q id__txscmjyoy1n id__bfu018uhi1e id__0g60fmaqcu6 id__2fswjeihgmj id__59hckphj7i7 id__pcbi462ap3c id__0o2d3f63tqn id__ricaq2l3rnp id__5epjdwyo2q id__9uw9w6xzjgj id__nno5ui4b0i id__sl19e9s5k9o id__2hm2sufl9f3 id__56yolso51e id__8nqd32nm0sk id__zx9itwpc5fj id__88fmvjmb297\" data-testid=\"tweet\">\n<div class=\"css-175oi2r r-eqz5dr r-16y2uox r-1wbh5a2\">\n<div class=\"css-175oi2r r-16y2uox r-1wbh5a2 r-1ny4l3l\">\n<div class=\"css-175oi2r r-18u37iz\">\n<div class=\"css-175oi2r r-1iusvr4 r-16y2uox r-1777fci r-kzbkwu\">\n<div class=\"css-175oi2r r-zl2h9q\">\n<div class=\"css-175oi2r r-k4xj1c r-18u37iz r-1wtj0ep\">\n<div class=\"css-175oi2r r-1d09ksm r-18u37iz r-1wbh5a2\">\n<div class=\"css-175oi2r r-1wbh5a2 r-dnmrzs r-1ny4l3l\">\n<div id=\"id__0g60fmaqcu6\" class=\"css-175oi2r r-1wbh5a2 r-dnmrzs r-1ny4l3l r-1awozwy r-18u37iz\" data-testid=\"User-Name\">\n<div class=\"css-175oi2r r-1awozwy r-18u37iz r-1wbh5a2 r-dnmrzs\">\n<div class=\"css-175oi2r r-1wbh5a2 r-dnmrzs\">\n<div class=\"css-175oi2r r-1awozwy r-18u37iz r-1wbh5a2 r-dnmrzs\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"css-175oi2r r-1kkk96v\">\n<div class=\"css-175oi2r r-1awozwy r-18u37iz r-1cmwbt1 r-1wtj0ep\">\n<div class=\"css-175oi2r r-1awozwy r-6koalj r-18u37iz\">\n<div class=\"css-175oi2r\">\n<div class=\"css-175oi2r r-18u37iz r-1h0z5md\">\n<div class=\"css-146c3p1 r-bcqeeo r-1ttztb7 r-qvutc0 r-37j5jr r-a023e6 r-rjixqe r-16dba41 r-1awozwy r-6koalj r-1h0z5md r-o7ynqc r-clp7b1 r-3s2u2q\" dir=\"ltr\">\n<div class=\"css-175oi2r r-xoduu5\">\n<div class=\"css-175oi2r r-xoduu5 r-1p0dtai r-1d2f490 r-u8s1d r-zchlnj r-ipm5af r-1niwhzg r-sdzlij r-xf4iuw r-o7ynqc r-6416eg r-1ny4l3l\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"css-175oi2r\">\n<div id=\"id__5epjdwyo2q\" class=\"css-146c3p1 r-8akbws r-krxsd3 r-dnmrzs r-1udh08x r-bcqeeo r-1ttztb7 r-qvutc0 r-37j5jr r-a023e6 r-rjixqe r-16dba41 r-bnwqim\" dir=\"auto\" lang=\"en\" data-testid=\"tweetText\"><span class=\"css-1jxf684 r-bcqeeo r-1ttztb7 r-qvutc0 r-poiln3\">This supports our belief that it was an initial proof of concept rather than a malware used by real threat actors. Nonetheless, the blog post remains accurate \u2014 it is a functional bootkit and the first publicly known UEFI bootkit for Linux. 2\/2<\/span><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/article>\n<\/div>\n<\/div>\n<\/div>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>[German]ESET Research has discovered the first Linux UEFI boot kit and named it Bootkitty. This Linux UEFI boot kit was uploaded to Virustotal in early November 2024 and came to the attention of the security researchers.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[921,580],"tags":[637,69],"class_list":["post-36512","post","type-post","status-publish","format-standard","hentry","category-linux","category-security","tag-linux","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/36512","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=36512"}],"version-history":[{"count":4,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/36512\/revisions"}],"predecessor-version":[{"id":36532,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/36512\/revisions\/36532"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=36512"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=36512"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=36512"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}