Security Market Segment LS
Wednesday, 07 September 2016 08:50

Umbreon rootkit targets Linux on x86, ARM platforms Featured


A rootkit aimed at Linux systems running on the x86, ARM and embedded platforms has been in development since last year and runs in user mode on an affected system, according to researchers at Trend Micro.

Yet, the rootkit, known as Umbreon after the Pokémon character, and described by researchers from the security firm, is difficult to remove because it intercepts calls by the standard C library (libc) used by Linux systems.

There is one positive factor: Umbreon needs to be manually installed on a victim's device after access has been gained by some other means.

Tools to detect it are also hampered by the same property as they are written in C and rely on libc.

The developer of Umbreon has been active in the cybercriminal undergrounds for at least three years, Trend Micro said.

The researchers said executable code could run on a system in user mode (ring 3), kernel mode (ring 0), hypervisor (ring -1) and system management mode (ring -2).

Given that Umbreon runs in user mode, it does not install kernel objects on a system, but intercepts functions from core libraries that are used by programs as interfaces to system calls.

These system calls run operations such as reading and writing of files, spawning processes, or sending packets over a network.

The researchers wrote: "It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode."

They said they had been able to get the rootkit running on the x86, x86_64 and ARM platforms. "The rootkit is very portable because it does not rely on platform-specific code: it is written in pure C, except for some additional tools that are written in Python and Bash scripting."

When Umbreon is installed, it creates a valid user that an attacker can use, via a backdoor, to gain access to the affected system. This user has a special group ID that is checked by the rootkit to see if the attacker is trying to gain access.

When the affected system is accessed, it shows the login screen below.

umbreon big

The backdoor component of this rootkit has been dubbed Espeon, again the name of a Pokémon character, and it spawns a shell when the attacker establishes a connection. It can be instructed, through a specially crafted TCP packet, to connect to an attacker's machine providing a reverse shell to bypass a firewall.

Given that existing means of detecting rootkits on a Linux system will not work with Umbreon, the researchers said one way around this was to "develop a small tool to list the contents of the default Umbreon rootkit folder using Linux kernel syscalls directly".

They said they had developed YARA rules to detect Umbreon. YARA is a tool to aid researchers in identifying and classifying malware families. Descriptions of malware families are based on textual or binary information in samples.

The Trend Micro researchers have also provided instructions for removal of Umbreon.


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments