Taking umbrage at Umbreon, the Linux rootkit that likes to hide

Pokémon-themed rootkit has a number of evasive tricks up its sleeve.

David bisson
David Bisson
@
@DMBisson

Umbreon

Watch out, Linux users! A new rootkit is on the prowl, and it’s known for biting into its victims without causing a commotion.

The rootkit, which goes by the name “Umbreon,” targets Linux machines, including systems that run Intel and ARM processors.

Umbreon, whose development began back in 2015, appears to derive its name from a Pokémon of the same name:

Sign up to our free newsletter.
Security news, advice, and tips.

Why do I say that?

Trend Micro security researcher Fernando Mercês found that after an attacker manually installs Umbreon onto a device or server, the rootkit creates a hidden Linux user that the attacker can use to access the machine. When accessed via SSH, that user account displays a welcome screen:

Umbreon2tb

This isn’t the first time attackers have leveraged animated pocket monsters to deliver malicious software to users.

Following the release of the uber-popular Pokémon Go game for Android and iOS, attackers began distributing lookalike apps that in actuality installed remote access trojans and ransomware onto unsuspecting users’ devices.

EspeonIt’s therefore no wonder Umbreon’s authors stuck with that theme… and took it to the next level.

Indeed, to access the infected system, the attacker must make use of Umbreon’s backdoor component in conjunction with the hidden Linux user profile. That component is named Espeon, after another Pokémon.

Okay, enough with the Pokémon parallels.

Umbreon is a ring 3 rootkit, meaning it can’t mess around much with the kernel. That doesn’t mean, however, that it’s easy to detect or remove.

For instance, it can hide from administrators who use a common system call tracing tool. As Mercês explains:

“System call tracing is a technique used by a very popular Linux command line tool called strace. It uses the ptrace() syscall to inspect the syscall parameters and return values of other executable files. As Umbreon uses an /etc/ld.so.<random> file to instruct the loader to load itself before any other library used by ELF binaries, it can disguise itself from administrators that use strace by hooking vprintf(), __vfprintf_chk(), and fputs_unlocked(). These are used by different versions of strace to write to a given file descriptor.”

Umbreon code

The rootkit also hooks into a number of other functions and prevents them from sending back information regarding TCP packets, which further conceals its malicious activity.

That’s because Umbreon, which is written purely in C, mimics the GNU C library and sets its library to execute before any other library has a chance.

The long and short of it: all of its spoofed and malicious functions execute first, leaving administrators with little hope of detecting the rootkit via conventional means.

Mercês elaborates:

“These malicious functions then inspect the arguments they receive before calling the real ones. Similarly, the output of every command may have been modified before the user sees it. It effectively functions as an in-the-middle attack, modifying both the input and output of system functions. Users cannot trust the outputs of system commands like ps, ls, top, and pstree (among others). Because they all use these libc functions, they will all produce modified outputs.”

Fortunately, administrators can detect Umbreon from an infected machine using new YARA rules. They can also remove it from a machine, but the process is complicated and not for the inexperienced user.

For a guide on how to remove the rootkit, please visit Trend Micro’s blog post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Taking umbrage at Umbreon, the Linux rootkit that likes to hide”

  1. coyote

    LD_PRELOAD environment variables and related functionality are very convenient but perhaps not as convenient as they used to be (things are 'easier'). This is indeed a clever way to go about it but it's certainly not anything unique (and indeed this is how ESET works and in fact it has a memory leak). But it likely is indeed not known by as many people these days (and perhaps that is because of dumbing down the systems to make it user 'friendly'). Despite this I would say this isn't anything but a larger attack surface (more users, more devices and less thinking required); this will only continue unfortunate as it is (but this isn't anything new either).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.