Pokemon-Themed Umbreon Rootkit Targets Linux Systems On ARM and x86

New submitter Kinwolf writes: Security researchers have identified a new family of Linux rootkits that, despite running from user mode, can be hard to detect and remove. Called Umbreon, after a Pokemon character that hides in the darkness, the rootkit has been in development since early 2015 and is now being sold on the underground markets. [It targets Linux-based systems on the x86, x86-64 and ARM architectures, including many embedded devices such as routers.] According to malware researchers from antivirus firm Trend Micro, Umbreon is a so-called ring 3 rootkit, meaning that it runs from user mode and doesn't need kernel privileges. Despite this apparent limitation, it is quite capable of hiding itself and persisting on the system. The reports adds: "The rootkit uses a trick to hijack the standard C library (libc) functions without actually installing any kernel objects. Umbreon hijacks these functions and forces other Linux executables to use its own libc-like library. This puts the rootkit in a man-in-the-middle position, capable of modifying system calls made by other programs and altering their output. The rootkit also creates a hidden Linux account that can be accessed via any authentication method supported by Linux, including SSH (Secure Shell). This account does not appear in files like /etc/passwd because the rootkit can modify the output of such files when read, the Trend Micro researchers said in a blog post. Umbreon also has a backdoor component called Espereon, named after another Pokemon character, that can establish a reverse shell to an attacker's machine when a TCP packet with special field values are received on the monitored Ethernet interface of an affected device."

How is this a "rootkit"?

[93+Escort+Wagon]

On Windows, are malicious DLLs now being referred to as "rootkits" as well?

It's malware, sure.

Re:How is this possible?

You're misinterpreting what they mean by "manually".

Getting malicious code onto a system involves two things: the malicious code (payload), and a means to get code onto a system (exploit). The two are largely orthogonal: any given exploit can be used with a wide variety of payloads.

This rootkit is just the payload; it doesn't include any specific mechanism to get the rootkit onto the system in the first place.

Re:Nice libc hack

[TheRaven64]

The blog post also seems to imply that you'd need root access to actually install the exploit

It's not an exploit, it's a rootkit. A rootkit is a tool for retaining undetected access to a compromised system, not a tool for compromising the system in the first place.