In the last decade, a new class of infections has been threatening Windows users. By infecting the firmware the malware (bootkit) runs before the operating system is loaded.
These UEFI bootkits continue to run even after the hard drive is replaced or formatted.
Now, the same type of malware has been found circulating online for Linux machines. Researchers from the security company ESET they said on Wednesday that Bootkitty – the name given to it by the unknown bootkit developers – was uploaded to VirusTotal earlier this month.
Compared to its Windows cousins, Bootkitty is still relatively rudimentary, with flaws in its core functionality and without the means to infect all Linux distributions outside of Ubuntu. This led the company's researchers to suspect that the new bootkit is possibly a proof-of-concept version. To date, ESET has not found any real infections.
However, Bootkitty shows us that malicious users are reportedly actively developing a Linux version of the unkillable bootkit that previously only targeted Windows systems.
"Whether a proof-of-concept or not, Bootkitty marks an interesting move in the UEFI threat landscape, breaking the belief that modern UEFI bootkits are Windows-only threats," ESET researchers said.
"While the current release from VirusTotal does not currently pose a real threat to the majority of Linux systems, it does highlight the need to prepare for potential future threats."
As ESET reports, the discovery is significant because it shows that someone is pouring resources and significant expertise into creating working UEFI bootkits for Linux.