Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pokemon-Themed Umbreon Rootkit Targets Linux Systems On ARM and x86 (pcworld.com)

Posted by BeauHD on from the gotta-catch-em-all dept.

New submitter Kinwolf writes: Security researchers have identified a new family of Linux rootkits that, despite running from user mode, can be hard to detect and remove. Called Umbreon, after a Pokemon character that hides in the darkness, the rootkit has been in development since early 2015 and is now being sold on the underground markets. [It targets Linux-based systems on the x86, x86-64 and ARM architectures, including many embedded devices such as routers.] According to malware researchers from antivirus firm Trend Micro, Umbreon is a so-called ring 3 rootkit, meaning that it runs from user mode and doesn't need kernel privileges. Despite this apparent limitation, it is quite capable of hiding itself and persisting on the system. The reports adds: "The rootkit uses a trick to hijack the standard C library (libc) functions without actually installing any kernel objects. Umbreon hijacks these functions and forces other Linux executables to use its own libc-like library. This puts the rootkit in a man-in-the-middle position, capable of modifying system calls made by other programs and altering their output. The rootkit also creates a hidden Linux account that can be accessed via any authentication method supported by Linux, including SSH (Secure Shell). This account does not appear in files like /etc/passwd because the rootkit can modify the output of such files when read, the Trend Micro researchers said in a blog post. Umbreon also has a backdoor component called Espereon, named after another Pokemon character, that can establish a reverse shell to an attacker's machine when a TCP packet with special field values are received on the monitored Ethernet interface of an affected device."

96 comments

  1. Only LUDDITES use iOS. by Anonymous Coward · · Score: 0

    The solution is apps, because only apps can app apps!

    Apps!

    1. Re: Only LUDDITES use iOS. by Anonymous Coward · · Score: 0

      +1. Hey buddy where have you been.

  2. How is this possible? by Anonymous Coward · · Score: 2, Interesting

    Linux is supposed to be impervious to such attacks..

    1. Re:How is this possible? by ewhac · · Score: 3, Informative

      The TrendMicro article off-handedly mentions that this malware is installed manually, suggesting physical access to the victim machine is required. This isn't so ridiculous an idea if the victim's machine doesn't have their screensaver set to lock the console (by default, xscreensaver doesn't do this); and if the victim's 'sudo' timeout is sufficiently long (default: 15 minutes).

      --
      Editor, A1-AAA AmeriCaptions
    2. Re:How is this possible? by Anonymous Coward · · Score: 0

      Or if the attacker is an insider of a device manufacturer.

      Pre-rootkitted routers a dime a dozen in China.

    3. Re: How is this possible? by Dunbal · · Score: 2

      Any system is vulnerable if the user has physical access to the system. There is absolutely nothing stopping you from taking a sledgehammer to the system, too.

      --
      Seven puppies were harmed during the making of this post.
    4. Re:How is this possible? by jandrese · · Score: 3, Informative

      It doesn't even need sudo access. It sounds like it does s LD_PRELOAD on libc and then traps any calls that would identify it.

      --

      I read the internet for the articles.
    5. Re:How is this possible? by Anonymous Coward · · Score: 0

      It's possible because freetards are morons who think Linux is secure through magic pixie dust.

      Microsoft just called and your check is in the mail. Keep up the good work.

    6. Re: How is this possible? by Anonymous Coward · · Score: 0

      Don't tell them that. Now there is going to be a three hour talk at DefCon about a new hack that is truly cross platform!

    7. Re: How is this possible? by macs4all · · Score: 1

      So it's impervious, except not since you quoted how it's not impervious to them. Way to disprove yourself.

      Exactly what Imwas going to say.

    8. Re: How is this possible? by macs4all · · Score: 1

      Any system is vulnerable if the user has physical access to the system. There is absolutely nothing stopping you from taking a sledgehammer to the system, too.

      Who said anything about physical access? Installing something manually simply means that the installation isn't script-driven. AFAICT, there was nothing mentioned in either TFS or any of the comments so far that states or even implies physical access.

    9. Re: How is this possible? by Narcocide · · Score: 1

      Actually yes, manual installation of a program that runs in userspace to an otherwise remotely un-compromised system does imply physical access, when you're talking about Linux.

    10. Re:How is this possible? by Anonymous Coward · · Score: 0

      Always find my head shaking when I see MS advocacy.

      Assuming it isn't sarcasm, there's always the same feeling of "you poor deluded fool", like with Mormons.

      As if simply holding a stupid belief makes it true.

    11. Re:How is this possible? by Anonymous Coward · · Score: 0

      sudo is for fags. Superuser shell for life, motherfuckers!

    12. Re: How is this possible? by macs4all · · Score: 1

      Actually yes, manual installation of a program that runs in userspace to an otherwise remotely un-compromised system does imply physical access, when you're talking about Linux.

      Even when preceded with the qualifier "after compromising them through other vulnerabilities"???

      If physical access was required, I would have expected that to say "...after gaining physical access to the server".

      See the difference?

    13. Re:How is this possible? by Anonymous Coward · · Score: 4, Insightful

      You're misinterpreting what they mean by "manually".

      Getting malicious code onto a system involves two things: the malicious code (payload), and a means to get code onto a system (exploit). The two are largely orthogonal: any given exploit can be used with a wide variety of payloads.

      This rootkit is just the payload; it doesn't include any specific mechanism to get the rootkit onto the system in the first place.

    14. Re:How is this possible? by Anonymous Coward · · Score: 0

      Go fuck yourself, that's how. Fucking troll cocksucker. You didn't come here for a debate.

    15. Re:How is this possible? by JeanJavaBean · · Score: 1

      So, by "manual" install, this implies someone having physical access to a computer...this can't be done via the internet? Thanks

    16. Re:How is this possible? by gweihir · · Score: 1

      No OS is impervious to user stupidity. In fact, for stupid users, Linux is probably less secure than Windows. For users with some clue, Linux is significantly more secure and this distance increases the more competent the user.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    17. Re:How is this possible? by gweihir · · Score: 1

      Indeed. This has probably been discovered 30 years ago by Unix-hackers and then abandoned as boring. Also not a risk to the system, just to the user that was stupid enough to chose a bad password.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    18. Re: How is this possible? by Anonymous Coward · · Score: 0

      What do you think sudo is? It's a fucking super user shell. Smh #feelsbadman. Pogchamp.

  3. Re:The Solution by Anonymous Coward · · Score: 1

    No. The solution is NetBSD with verified exec.

  4. It's this.. by Z80a · · Score: 1

    The alternate evolution of alureon?

  5. How is this a "rootkit"? by 93+Escort+Wagon · · Score: 5, Insightful

    On Windows, are malicious DLLs now being referred to as "rootkits" as well?

    It's malware, sure.

    --
    #DeleteChrome
    1. Re:How is this a "rootkit"? by wierd_w · · Score: 1

      Theoretically, the compromised libc syscalls can be used to fire off system requests as if legit admin user was used, which can be used to execute kernel mode software, such as loading a malicious kernel module.

      If it can pretend to be the root account, it can do whatever it wants.

    2. Re:How is this a "rootkit"? by Gr8Apes · · Score: 1

      yes, but it has to be installed first. Unlike with Windows DLLs, which can be loaded and modded on demand.

      --
      The cesspool just got a check and balance.
    3. Re:How is this a "rootkit"? by Anonymous Coward · · Score: 5, Interesting

      It requires root permissions to install and affects anything that isn't statically linked to glibc, libpcap or a few other libs. Since it patches part of the dynloader, it may even affect those if the program links anything dynamically or tries to use dlopen() manually (such as when loading plugins).

      What it doesn't bother doing is infecting the kernel itself. glibc and ld-linux.so contain all the hooks in userspace you'll ever need to match Windows-style kernel rootkits.

      It sounds like you can only use this kit on an already seriously compromised system, where the attacker has full root access and SELinux isn't getting in the way.

    4. Re:How is this a "rootkit"? by Anonymous Coward · · Score: 0

      This is very similar to a DLL-dropping attack on Windows some years back, where it would wait until the user gave the targeted application UAC approval.
      The reason this is slightly more worthy of the term rootkit is the libc monoculture on Liinux, which even includes system tools like ls. Effectively a large part of the OS is hijackable. (Still needs sudo though.)

    5. Re: How is this a "rootkit"? by BarbaraHudson · · Score: 1

      Static linking for the win. Updates don't break existing programs, and it's not like we need to save drive space by using shared libraries.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    6. Re: How is this a "rootkit"? by Anonymous Coward · · Score: 0

      And you only have to recompile everything using a statically linked library that gets a security flaw patched... (instead of just updating the shared object.)

    7. Re: How is this a "rootkit"? by BarbaraHudson · · Score: 1

      So what? What if the flaw is only in the newer library? Or the patched library is incompatible with your software? And you don't have to patch every security flaw in a library - if your application is never calling that portion of the library that has the security bug, screw it - it's totally unnecessary to patch and recompile since the portion that's flawed will never be run.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    8. Re: How is this a "rootkit"? by Anonymous Coward · · Score: 0

      So... all I need to test for this rootkit is run a simple statically-linked checker binary that does not load any .so libraries?

    9. Re: How is this a "rootkit"? by BarbaraHudson · · Score: 1

      The big problem with dynamic linking is that you can specify the library to load at runtime.

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
  6. Nice libc hack by Guybrush_T · · Score: 2

    Don't read the article, jump to the blog post. Clear and detailed.

    1. Re:Nice libc hack by bakaorg · · Score: 1

      Indeed the blog post is quite informative.
      Since this is a ilbc hack, it would seem that docker would be a great way to detect this, since you can get a different libc.
      Running: `docker run -P -it -v /:/mnt ubuntu`
      gives you a root shell under a different libc with all of your filesystems mounted under /mnt
      This is of course speculation since I assume I don't have the rootkit installed, but it seems pretty straightforward.

    2. Re:Nice libc hack by somenickname · · Score: 4, Interesting

      The blog post also seems to imply that you'd need root access to actually install the exploit. In particular: "However, we found that Umbreon also patches the loader library (/lib/x86_64-linux-gnu/ld-2.19.so as an example) to use /etc/ld.so. instead, where is a 7-character-string, matching the length of “preload”."

      So, basically, it needs write access to patch a string in ld.so so that it can hijack the preload functionality. Presumably it does this because a lot of distros will use SELinux to prevent access to /etc/ld.so.preload. The basic idea behind this isn't anything new but, it does seem like it does a number of things to prevent detection.

    3. Re:Nice libc hack by TheRaven64 · · Score: 4, Insightful

      The blog post also seems to imply that you'd need root access to actually install the exploit

      It's not an exploit, it's a rootkit. A rootkit is a tool for retaining undetected access to a compromised system, not a tool for compromising the system in the first place.

      --
      I am TheRaven on Soylent News
    4. Re:Nice libc hack by Anonymous Coward · · Score: 0

      That's assuming the docker command itself isn't infected by this libc hack.

    5. Re:Nice libc hack by Anonymous Coward · · Score: 0

      So, basically, it needs write access to patch a string in ld.so so that it can hijack the preload functionality.

      It can do enough damage by setting LD_PRELOAD in some user owned init script. For example it could modify .bashrc and anything that uses bash or has a bash process as ancestor is compromised for that user. There is really no need for root privileges in most cases anyway.

    6. Re:Nice libc hack by Anonymous Coward · · Score: 0

      The blog post also seems to imply that you'd need root access to actually install the exploit

      It's not an exploit, it's a rootkit. A rootkit is a tool for retaining undetected access to a compromised system, not a tool for compromising the system in the first place.

      No it is not. The clue is in root. It doesn't matter how many times you repeat your misinformation, you are wrong.

    7. Re:Nice libc hack by somenickname · · Score: 1

      I'm not sure if I'd call it a rootkit (though, my use of "exploit" was wrong too). It's a pretty amusing use of the preload functionality but, it's not so pervasive that it's difficult to remove. Yeah, it could enable serious badness but, it needs a proper exploit to get onto the system. Anything could cause badness after that.

  7. Newspeak by pigsycyberbully · · Score: 0

    The term rootkit is a concatenation of "root" root/admin-level access. And this program "runs in user mode and cannot get kernel" and yet it's a rootkit. Even antivirus trading companies are now writing and speaking newspeak.

  8. Static Builds? by 0100010001010011 · · Score: 2

    So this attack is rendered useless if you don't link against libc?

    1. Re:Static Builds? by caseih · · Score: 4, Interesting

      Correct. And in the old days, /sbin was called /sbin because it meant "static binaries." Now even core system utilities like ls are dynamically-linked, which makes attacks like this work.

    2. Re:Static Builds? by arth1 · · Score: 3, Interesting

      The root partition also used to be read-only, which was a very good idea for security. These days, tools require write access to /etc and many other places, which makes these kinds of exploits much simpler.

    3. Re:Static Builds? by Gr8Apes · · Score: 1

      And then you have OSX, which no longer allows you even moderately difficult access to various locations with in the system libraries, forcing you into "best practices".

      --
      The cesspool just got a check and balance.
    4. Re:Static Builds? by molarmass192 · · Score: 1

      I thought it meant "system binaries", although I really like the idea of a /bin dedicated to binaries with zero external dependencies for system recovery and the like.

      --

      Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
    5. Re:Static Builds? by Anonymous Coward · · Score: 0

      I really don't understand why they dropped /usr/local/etc, /usr/X11R6/etc and put everything into /etc. If you are too stupid to handle different paths you shouldn't have root priviledge.

    6. Re:Static Builds? by caseih · · Score: 1

      Yes, you are right. But they also were statically linked because they were meant to be used before /usr is mounted.

    7. Re:Static Builds? by Anonymous Coward · · Score: 0

      sbin was called sbin for system, where binaries essential to the operation of the system went. While static binaries may have been located in /sbin, it is only happenstance.

    8. Re:Static Builds? by TheRaven64 · · Score: 1

      Only Linux did. *BSD still puts system stuff in /etc, all third-party packages into /usr/local/etc. You can lock down /etc quite hard, and it contains all of the configuration required to boot and recover the system. /usr/X11R6/etc went away because it eventually contained just Xorg.conf (and not even that if you're on a fairly recent system where automatic configuration works and you're happy with the defaults), and it didn't make sense to have a separate directory for zero or one files.

      --
      I am TheRaven on Soylent News
    9. Re:Static Builds? by Anonymous Coward · · Score: 0

      And then you have OSX, which no longer allows you even moderately difficult access to various locations with in the system libraries, forcing you into "best practices".

      Nope. Forces a "csrutil disable"

    10. Re:Static Builds? by Anonymous Coward · · Score: 0

      Nope. Forces a "csrutil disable"

      And all mac users of course would know obtuse terminal commands.

    11. Re: Static Builds? by Anonymous Coward · · Score: 0

      They probably know how to use Google, though.

  9. Wrong title is wrong by Anonymous Coward · · Score: 1

    Not just misleading, but plain wrong.

    It's not a rootkit and it's not Pokemon-themed.

    How about: "Linux malware gets named for Pokemon"

    1. Re: Wrong title is wrong by Anonymous Coward · · Score: 0

      "Linux and Pokemon are confirmed to be malware"

    2. Re:Wrong title is wrong by Anonymous Coward · · Score: 0

      It has several pokemons, it is pokemon themed.

    3. Re:Wrong title is wrong by FatdogHaiku · · Score: 1

      Not just misleading, but plain wrong.

      It's not a rootkit and it's not Pokemon-themed.

      How about: "Linux malware gets named for Pokemon"

      Dammit what am I gonna do with all these t-shirts I had printed!

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  10. Re:Pwned from Ring 3 by Anonymous Coward · · Score: 0

    Compared to what, Windows? There really needs to be an "Idiot" mod tag.

  11. From TFA, How to... by BringsApples · · Score: 4, Informative

    How to detect Umbreon:

    Most of the tools you will find in Linux are written in C. Even programs written in Perl, Python, Ruby, PHP and other scripting languages end up calling GNU C Library wrappers as their interpreters are also written in C. Because Umbreon library hooks libc functions, creating a reliable tool to detect Umbreon would require a tool that doesn’t use libc.

    One way is to develop a small tool to list the contents of the default Umbreon rootkit folder using Linux kernel syscalls directly. This bypasses any malicious C library installed by Umbreon. If the output contains one or more files with names starting with libc.so followed by a random integer, this is the red flag that suggests Umbreon is installed in the machine.

    We have also created YARA rules that detect Umbreon, which can be downloaded here.

    Removal Instructions

    Umbreon is a ring 3 (user level) rootkit, so it is possible to remove it. However, it may be tricky and inexperienced users may break the system and put it into an unrecoverable state. If you are brave enough to proceed, the easiest way is to boot the affected machine with Linux LiveCD and follow the steps:

    Mount the partition where the /usr directory is located; write privileges are required.
    Backup all the files before making any changes.
    Remove the file /etc/ld.so..
    Remove the directory /usr/lib/libc.so..
    Restore the attributes of the files /usr/share/libc.so...*.so and remove them as well.
    Patch the loader library to use /etc/ld.so.preload again.
    Umount the partition and reboot the system normally.

    --
    Politics; n. : A religion whereby man is god.
    1. Re:From TFA, How to... by SadButResolved · · Score: 1

      Wouldn't compiling a search tool such as perl or rkhunter based tool using static vs linked work ?

    2. Re:From TFA, How to... by RogueWarrior65 · · Score: 1

      So how would you remove it from an embedded system that doesn't boot from LiveCD?

  12. Obligatory XKCD by jargonburn · · Score: 2

    Comprising the root/admin account is sometimes overrated.

    1. Re:Obligatory XKCD by Anonymous Coward · · Score: 0

      Comprising the root/admin account is sometimes overrated.

      Yeah, getting rid of the admin account totally works for admin purposes.

  13. i'm torn on this one by Anonymous Coward · · Score: 0

    ... targets Linux-based systems on the x86, x86-64 and ARM architectures ... puts the rootkit in a man-in-the-middle position... creates a hidden Linux account ... does not appear in files like /etc/passwd because the rootkit can modify the output of such files... also has a backdoor component called Espereon, named after another Pokemon character...

    Yeah.... but Pokomon!

  14. The year of Windows desktop by Billly+Gates · · Score: 4, Funny

    When will people wake up and say they had enough? Enough of the soo outdated file menus and high color gradients for old people who don't have touch screens and cell phones on their monitors? Enough of no app stores. Enough of too many options and not someone who can make decisions for you on how you use your system?

    If only people learned Windows and saw there is an alternative to Linux.

    The year of the Windows desktop is almost here where you do not have these rootkit problems .... Oh wait!?

    --
    http://saveie6.com/
    1. Re:The year of Windows desktop by vikingpower · · Score: 1

      Dude, that saveie6.com site is the funniest thing I've seen this year.

      --
      Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
  15. Re: The Solution by Anonymous Coward · · Score: 0

    I want a verified CEO!

  16. Time to go back to a.out for system utilities? by Anonymous Coward · · Score: 5, Informative

    This was actually a contentious issue when the shift to ELF happened back in the 90s on Linux. There was a debate over whether it was better to have fixed binaries that if improperly programmed could have security issues, but were only trojanable if a successful elevation attack took place, or ELF binaries which would allow all sorts of fun relocation features, help cut down on memory usage by making symbols easier to relocate, which could also be used with dynamic address relocation (not actually available on Linux for quite a few more years.) to enhance security by making stack smashing attacks more difficult. But as a big potential downside in regards to ELF files, they allowed library preloading in a manner indistinguishable from normal operation, which is a boon for ensuring future portability of binaries, but a huge bane for system integrity and security.

    And now we have an example of that being true at the unprivileged user level. The only thing I am not sure about is if they can escalate privileges, since suid binaries are explicitly supposed to ignore LD_PRELOAD settings to ensure such trojaning doesn't happen.

    1. Re:Time to go back to a.out for system utilities? by TheRaven64 · · Score: 3, Informative

      Note that this is a rootkit. The purpose of a rootkit is to retain access to a system that you've already compromised, without being detected. The goal is that normal system administration tasks won't suddenly lock you out. For example, when the user updates their coreutils package, the package installer doesn't fail because your evil binaries have the wrong signature and your binaries are not replaced by uncompromised ones.

      --
      I am TheRaven on Soylent News
    2. Re:Time to go back to a.out for system utilities? by gweihir · · Score: 0

      No it is not. It is a "user-kit". A rootkit serves to retain root-access.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  17. easy way to discover umberon? by Anonymous Coward · · Score: 0

    Does running statically linked busybox version of ls will reveal this rootkit?
    I did:
    $ sudo apt-get install busybox-static
    $ /bin/busybox ls /etc

    Can anyone confirm?

    1. Re:easy way to discover umberon? by Anonymous Coward · · Score: 0

      [AC because I mod you up]
      Correct AFAIK. But what result wil prove the presence of the infection ?

  18. It has to be run with privileges ? by Anonymous Coward · · Score: 0

    So, if you run this malware with privileges it can modify the system ?
    Color me shocked.

    On other news, if a desktop is configured with admin access without password, bad things can happen.

    Any other amazing news like this ? I can't wait.

    Posting anonymously because too lazy to find my password.
    -- Thanatiel

  19. wow by Anonymous Coward · · Score: 0

    looks like the furries just learned how to skiddie.

  20. A new systemD feature by Anonymous Coward · · Score: 0

    This is not a rootkit, but a new cool systemD feature found in latest Fedora release, it will be rolled out to other distributions in the coming months. The problem is that libc is full of cruft and written by oldhats so we need to replace that, but as anyone knows, systemD is MODULAR so if you are a smelly LUDDITE you can disable the feature until it becomes a required dependency.

    Why is Linux so oldhat and crufty, why could it not just be a cool Electron app?

    1. Re:A new systemD feature by slashways · · Score: 1

      You are right; On a classical UNIX setup, all the directories/files describe in this 'blog' are only writable by 'root'; So the malware can't compromise the full system. It requires something bypassing the classical security layers, maybe SystemD?

  21. No physical access needed by Anonymous Coward · · Score: 0

    Hi there. The article says "manual install" but that can be remotely for sure. It is just a program. Once the server is compromised by web applications vulns for example, the attacker can get a shell, escalate privileges and install the rootkit *remotely*.

    1. Re: No physical access needed by Anonymous Coward · · Score: 0

      "manual installation" means no automated way for infection like ordinary worms have.

  22. 2016 timberland pas cher by shenhaisui · · Score: 0

    timberland pas cher Si vous aimez la mode vous aimez forcément les chaussures. Toute grande fashionista dans l’âme est une shoes addict en puissance ! Avec les chaussures, l’avantage c’est qu’il y en a vraiment pour tous les styles et les goûts.Le problème c’est que du coup, vous ne savez plus trop quoi faire et surtout quoi choisir. Le tout est de savoir ce qui est tendance et ce qu'il faut porter en fonction de la tenue et de l'occasion. Mais pas d'inquiétude : grâce à nous, la mode n’aura plus de secret pour vous !Pour une énorme soirée ou un mariage on ne peut pas porter n’importe quoi. Ce genre d’évènement, ça se prépare. Il faut que l’on soit parfaite. Une occasion exceptionnelle mérite des mesures exceptionnelles !

    1. Re:2016 timberland pas cher by a_claudiu · · Score: 1

      I believe this comment is linked to linux memory footprint.

  23. This is why no one subscribes to PC World anymore by ComputerGeek01 · · Score: 1

    The rootkit uses a trick to hijack the standard C library (libc) functions without actually installing any kernel objects.

    This is literally the only interesting part about this announcement and there is jack-all details about how it's doing this. How does this accomplish what it does on Ring 3? I'd imagine that it uses an inline function hook, but I'd like to know for sure.

  24. Slashdot Editors fail again by Anonymous Coward · · Score: 0

    Espereon is not a pokemon! The proper spelling is Espeon: http://bulbapedia.bulbagarden.net/wiki/Espeon

  25. It's Espeon by Anonymous Coward · · Score: 0

    "News for nerds. Stuff that matters", my foot!

  26. MAJOR Error in Article! by Anonymous Coward · · Score: 0

    Long time poke-fan here. The companion pokemon to Umbreon is Espeon, not "Espereon"
    When your Evee's happiness meter is maxed out and you level up during nightime, you get Umbreon. If you level up the Evee during the day you get Espeon.
    Seriously, pokemon has been out for 20 years now, get your facts straight people!

  27. Rootkit targets Linux-based systems? by khz6955 · · Score: 1

    How exactly does this rootkit get to install and run on the target system, without the enduser explicidly downloading and running the app?

    "Umbreon is manually installed onto an affected device or server by the attacker."

    So, the device has to be already compromised and requires manual installation, nothing to see here ..

    1. Re:Rootkit targets Linux-based systems? by Anonymous Coward · · Score: 0

      Your hubris will be your undoing.

      You (and endless other Linux wonks) seem to think that the proliferation of malware targeting Linux is "no big deal". It is a big deal. This is a standardized method of compromising large numbers of systems. This is malware for the masses. Linux has become a Great Big Target with ever more attention from the Black Hats.

      Also, user-enabled exploits are "Nothing to See Here?" You are aware, are you not, that social engineering is in the Top 5 attack techniques, in the entire world now? Just because you can talk a user into doing something they should not do, does not allow you to pretend that attack vector doesn't exist. Whether you like it or not, users are now the weak link in our security systems. That makes it your problem.

      If you really think there is Nothing to See Here, Move Along, then you aren't a professional. That's the bottom line. You have to do everything in your power to protect your users, even when they are weak, dumb, or insufficiently educated. Our security systems need to be user-resistant. Make them so strong that a single dumb act by the users, does not compromise the entire system.

      Multiple dumb acts? Well then that's a matter for Human Resources. However anyone can make one mistake.

  28. Aha by easyTree · · Score: 1

    Pokemon-Themed Umbreon Rootkit Targets Linux Systems On ARM and x86

    You just wasted your time writing this, suckers!! Linux is secure by design/default (take ur pick)

    --
    Requiem for the American Dream
  29. I said it once, I say it again by Anonymous Coward · · Score: 0

    Only way to be protected from hackers is to not be on the internet.

  30. Pokemon themed? by michael_wojcik · · Score: 1

    How sad when names from an innocent game about child slavemasters running gladiatorial contests are used for something wicked.

    Next they'll be using it to encourage loitering, trespassing, and distracted driving. Just you watch.