Umbreon Rootkit Hides in the Dark and Threatens Your Linux System
Umbreon Can Target 32-Bit, 64-Bit, and ARM Machines
It would appear that mobile phone users aren't the only ones taken by the Pokémon craze. Even the hackers seem to be interested in the funny little monsters. So much so, in fact, that they've decided to name the newest Linux rootkit after Umbreon – a Pokémon creature. According to Bulbapedia, a community-driven Pokémon encyclopedia, Umbreon likes hiding in the dark, which makes the name rather fitting for a rootkit.
One of the first things you need to know about Umbreon is that it can't be installed automatically. The hacker needs to have either physical or remote access to the machine if an infection is to happen, which is both good and bad news.
On the one hand, the fact that the executable needs to be manually initiated means that inexperienced users are unlikely to install Umbreon by mistake. On the other, however, if the hackers have access to the system, they can place the rootkit wherever they want, which could hamper automatic detection.
Speaking of detection, Umbreon is a Level 3 rootkit. It works on the user level, and it doesn't place objects deeper within the system, which, in theory at least, means that it should be easier to deal with compared to some other threats. The threat actors have thought about that, however, and they've implemented some detection avoidance techniques which can make users' lives quite a bit more difficult.
Umbreon injects itself in the libc and libcap libraries – two basic components used by applications written in popular programming languages like PHP, Python, Ruby, Perl, etc. Fundamentally, applications coded in these languages will not be able to detect the rootkit. You can see now just how appropriate the Umbreon name is.
Researchers at TrendMicro analyzed the threat in more detail recently, and they came up with a removal guide. They do warn you, however, that you should be careful as mistakes during the removal process could cause serious damage to the system.
So, you can remove Umbreon. But what will happen if you don't?
Naturally enough, TrendMicro also analyzed the rootkit's functionality, and they concluded that Umbreon is a threat to be reckoned with. By hooking into the libc library, it can inspect and alter terminal commands, and by injecting itself into the libcap library, it can sniff through network traffic, open SSH sessions, and hide its communication with the Command & Control server. During installation Umbreon also creates a brand new user (invisible for the system owner) through which the attackers can access the machine via SSH.
Umbreon carries another component called Espeon (also named after a Pokémon creature that has pronounced ears). With the help of Espeon, hackers can bypass the firewalls and establish a direct connection with the infected machine.
Umbreon and Espeon are fictional creatures, but the rootkit and the backdoor it can open are very real threats.