The Complete Magazine on Open Source

Pokémon-themed Linux rootkit surfaces across x86 and ARM systems

, / 452 0

Linux rootkit

A new rootkit family has emerged to target Linux systems based on x86 and ARM processors. Called Umbreon, the rootkit is named after a Pokémon due to its appropriate characteristic of hiding under night-like codes.

Researchers at Trend Micro Forward Looking Threat Research have obtained samples of the Umbreon rootkit. The researcher team revealed that the development of the rootkit is not a new one and was first spotted back in early 2015, while its developer is allegedly active in the cybercriminal underground since 2013.

“It has been claimed in underground forums and IRC channels by several underground actors that Umbreon is very hard to detect. Our research shows how this rootkit works, and how it tries to achieve stealth within a Linux environment,” writes Fernando Mercês, senior threat researcher at Trend Micro, in a blog post.

Umbreon can be installed on an active device either manually or through a server. Once installed, it is said to give the attacker the entire control of the device.

There are four different execution modes where the rootkit code can be run, namely user, kernel, hypervisor and system management mode. Further, the Pokémon-themed rootkit can run on Intel-powered x86 and x86-64 platforms as well as ARM-backed mobile offerings including Raspberry Pi.

“The rootkit is very portable because it does not rely on platform-specific code. It is written in pure C, except for some additional tools that are written in Python and Bash scripting,” Mercês adds.

Umbreon develops a valid Linux user to let the attacker hit the device with a backdoor access. The user account can be accessed via any authentication method supported by Linux using pluggable authentication modules (PAMs) such as SSH.

Although Umbreon is a serious threat to Linux systems, the researchers at Trend Micro claim that it can be removed through some ways. Users need to remove the file /etc/ and directory /usr/lib/ after booting the affected machine with Linux LiveCD. However, it is recommended to take backups before performing any tweak in the system.