Pokémon-inspired rootkit attacks Linux systems

A new persistent stealthy malware that can give attackers full control over Linux servers has been discovered by researchers.

Umbreon secure shell login screen.

Researcher Fernando Mercês with security vendor Trend Micro said the malware - a rootkit family - is named after a character in the Pokémon fantasy game called Umbreon.

Umbreon is a dark Pokémon that hides in the night, an "appropriate characteristic for a rootkit," Mercês wrote.

The researchers said Umbreon is manually installed by attacks on systems. It runs on 32 and 64-bit Intel-based Linux machines, and Trend Micro said its researchers were able to operate it on a Raspberry Pi ARM platform as well.

This is because Umbreon is very portable, mostly written in the C programming language without platform-specific code.

Although Umbreon runs in user mode or ring 3 protection level privileges, the malware works around access limitations by hooking into functions from core libraries for reading and writing files, creating new processes or sending network traffic. 

The malware contains another Pokémon-named component, Espeon, a creature with large ears, which used as a reverse shell backdoor on infected systems that bypasses firewalls.

Umbreon attempts to hide the traffic it generates by preventing a network library used on Linux systems from returning any information about the transmission control protocol packets the malware uses.

This means an administrator using the common tcpdump utility would not be able to see the backdoor data traffic Umbreon generates.

Likewise, although Umbreon creates a valid Linux user during the installation for use with Espeon, the malware hooks into the libc system library and hides the malicious account so that admins cannot see it in files such as /etc/passwd.

Since Umbreon is a user level rootkit, it is possible to manually remove the malware by booting up the infected system with a Linux live CD or USB drive, and deleting the malicious files.

Trend Micro warned that inexperienced users attempting to manually remove Umbreon could accidentally damage Linux systems and put them into an unrecoverable state.

The company did not indicate how widespread Umbreon is, or who created the rootkit, but said it released the analysis of the malware to help the industry block the threat.