Security Market Segment LS
Wednesday, 07 September 2016 08:50

Umbreon rootkit targets Linux on x86, ARM platforms Featured

By

A rootkit aimed at Linux systems running on the x86, ARM and embedded platforms has been in development since last year and runs in user mode on an affected system, according to researchers at Trend Micro.

Yet, the rootkit, known as Umbreon after the Pokémon character, and described by researchers from the security firm, is difficult to remove because it intercepts calls by the standard C library (libc) used by Linux systems.

There is one positive factor: Umbreon needs to be manually installed on a victim's device after access has been gained by some other means.

Tools to detect it are also hampered by the same property as they are written in C and rely on libc.

The developer of Umbreon has been active in the cybercriminal undergrounds for at least three years, Trend Micro said.

The researchers said executable code could run on a system in user mode (ring 3), kernel mode (ring 0), hypervisor (ring -1) and system management mode (ring -2).

Given that Umbreon runs in user mode, it does not install kernel objects on a system, but intercepts functions from core libraries that are used by programs as interfaces to system calls.

These system calls run operations such as reading and writing of files, spawning processes, or sending packets over a network.

The researchers wrote: "It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode."

They said they had been able to get the rootkit running on the x86, x86_64 and ARM platforms. "The rootkit is very portable because it does not rely on platform-specific code: it is written in pure C, except for some additional tools that are written in Python and Bash scripting."

When Umbreon is installed, it creates a valid user that an attacker can use, via a backdoor, to gain access to the affected system. This user has a special group ID that is checked by the rootkit to see if the attacker is trying to gain access.

When the affected system is accessed, it shows the login screen below.

umbreon big

The backdoor component of this rootkit has been dubbed Espeon, again the name of a Pokémon character, and it spawns a shell when the attacker establishes a connection. It can be instructed, through a specially crafted TCP packet, to connect to an attacker's machine providing a reverse shell to bypass a firewall.

Given that existing means of detecting rootkits on a Linux system will not work with Umbreon, the researchers said one way around this was to "develop a small tool to list the contents of the default Umbreon rootkit folder using Linux kernel syscalls directly".

They said they had developed YARA rules to detect Umbreon. YARA is a tool to aid researchers in identifying and classifying malware families. Descriptions of malware families are based on textual or binary information in samples.

The Trend Micro researchers have also provided instructions for removal of Umbreon.

Read 2598 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

SONICWALL 2022 CYBER THREAT REPORT

The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Ransomware
Cryptojacking
Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.

GET REPORT!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments