Security Market Segment LS
Wednesday, 07 September 2016 08:50

Umbreon rootkit targets Linux on x86, ARM platforms Featured


A rootkit aimed at Linux systems running on the x86, ARM and embedded platforms has been in development since last year and runs in user mode on an affected system, according to researchers at Trend Micro.

Yet, the rootkit, known as Umbreon after the Pokémon character, and described by researchers from the security firm, is difficult to remove because it intercepts calls by the standard C library (libc) used by Linux systems.

There is one positive factor: Umbreon needs to be manually installed on a victim's device after access has been gained by some other means.

Tools to detect it are also hampered by the same property as they are written in C and rely on libc.

The developer of Umbreon has been active in the cybercriminal undergrounds for at least three years, Trend Micro said.

The researchers said executable code could run on a system in user mode (ring 3), kernel mode (ring 0), hypervisor (ring -1) and system management mode (ring -2).

Given that Umbreon runs in user mode, it does not install kernel objects on a system, but intercepts functions from core libraries that are used by programs as interfaces to system calls.

These system calls run operations such as reading and writing of files, spawning processes, or sending packets over a network.

The researchers wrote: "It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode."

They said they had been able to get the rootkit running on the x86, x86_64 and ARM platforms. "The rootkit is very portable because it does not rely on platform-specific code: it is written in pure C, except for some additional tools that are written in Python and Bash scripting."

When Umbreon is installed, it creates a valid user that an attacker can use, via a backdoor, to gain access to the affected system. This user has a special group ID that is checked by the rootkit to see if the attacker is trying to gain access.

When the affected system is accessed, it shows the login screen below.

umbreon big

The backdoor component of this rootkit has been dubbed Espeon, again the name of a Pokémon character, and it spawns a shell when the attacker establishes a connection. It can be instructed, through a specially crafted TCP packet, to connect to an attacker's machine providing a reverse shell to bypass a firewall.

Given that existing means of detecting rootkits on a Linux system will not work with Umbreon, the researchers said one way around this was to "develop a small tool to list the contents of the default Umbreon rootkit folder using Linux kernel syscalls directly".

They said they had developed YARA rules to detect Umbreon. YARA is a tool to aid researchers in identifying and classifying malware families. Descriptions of malware families are based on textual or binary information in samples.

The Trend Micro researchers have also provided instructions for removal of Umbreon.

Read 2633 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


Thoughtworks presents XConf Australia, back in-person in three cities, bringing together people who care deeply about software and its impact on the world.

In its fifth year, XConf is our annual technology event created by technologists for technologists.

Participate in a robust agenda of talks as local thought leaders and Thoughtworks technologists share first-hand experiences and exchange new ways to empower teams, deliver quality software and drive innovation for responsible tech.

Explore how at Thoughtworks, we are making tech better, together.

Tickets are now available and all proceeds will be donated to Indigitek, a not-for-profit organisation that aims to create technology employment pathways for First Nations Peoples.

Click the button below to register and get your ticket for the Melbourne, Sydney or Brisbane event



It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News