Pokémon-themed Linux rootkit surfaces across x86 and ARM systems
A new rootkit family has emerged to target Linux systems based on x86 and ARM processors. Called Umbreon, the rootkit is named after Pokémon due to its characteristic of hiding under night-like codes.
Trend Micro’s researchers have obtained samples of the Umbreon rootkit. The researcher team revealed that the development of the rootkit is not too recent and was first spotted in early 2015, while its developer has allegedly been active in the cyber-criminal underground since 2013.
“It has been claimed in underground forums and IRC channels by several underground actors that Umbreon is very hard to detect. Our research shows how this rootkit works, and how it tries to achieve stealth within a Linux environment,” wrote Fernando Mercês, senior threat researcher at Trend Micro, in a blog post.
Umbreon can be installed on an active device either manually or through a server. Once installed, it is said to give the attacker the entire control of the device.
There are four different execution modes where the rootkit code can be run, namely, in user, kernel, hypervisor and system management mode. Further, the Pokémonthemed rootkit can run on Intel-powered x86 and x8664 platforms as well as ARM-backed mobile offerings including Raspberry Pi.
“The rootkit is very portable because it does not rely on platform-specific code. It is written in pure C, except for some additional tools that are written in Python and Bash scripting,” Mercês added.
Umbreon develops a valid Linux user to let the attacker hit the device with a backdoor access. The user account can be accessed via any authentication method supported by Linux using pluggable authentication modules (PAMs) such as SSH.
Although Umbreon is a serious threat to Linux systems, the researchers at Trend Micro claim that it can be removed. Users need to remove the file /etc/ld.so and directory /usr/ lib/libc.so after booting the affected machine with a Linux live CD. However, it is recommended that you take backups before performing any tweak in the system.