Pokemon-Themed Umbreon Rootkit Targets Linux Systems On ARM and x86

New submitter Kinwolf writes: Security researchers have identified a new family of Linux rootkits that, despite running from user mode, can be hard to detect and remove. Called Umbreon, after a Pokemon character that hides in the darkness, the rootkit has been in development since early 2015 and is now being sold on the underground markets. [It targets Linux-based systems on the x86, x86-64 and ARM architectures, including many embedded devices such as routers.] According to malware researchers from antivirus firm Trend Micro, Umbreon is a so-called ring 3 rootkit, meaning that it runs from user mode and doesn't need kernel privileges. Despite this apparent limitation, it is quite capable of hiding itself and persisting on the system. The reports adds: "The rootkit uses a trick to hijack the standard C library (libc) functions without actually installing any kernel objects. Umbreon hijacks these functions and forces other Linux executables to use its own libc-like library. This puts the rootkit in a man-in-the-middle position, capable of modifying system calls made by other programs and altering their output. The rootkit also creates a hidden Linux account that can be accessed via any authentication method supported by Linux, including SSH (Secure Shell). This account does not appear in files like /etc/passwd because the rootkit can modify the output of such files when read, the Trend Micro researchers said in a blog post. Umbreon also has a backdoor component called Espereon, named after another Pokemon character, that can establish a reverse shell to an attacker's machine when a TCP packet with special field values are received on the monitored Ethernet interface of an affected device."

How is this possible?

Linux is supposed to be impervious to such attacks..

Re:Static Builds?

[caseih]

Correct. And in the old days, /sbin was called /sbin because it meant "static binaries." Now even core system utilities like ls are dynamically-linked, which makes attacks like this work.

Re:Static Builds?

[arth1]

The root partition also used to be read-only, which was a very good idea for security. These days, tools require write access to /etc and many other places, which makes these kinds of exploits much simpler.

Re:Nice libc hack

[somenickname]

The blog post also seems to imply that you'd need root access to actually install the exploit. In particular: "However, we found that Umbreon also patches the loader library (/lib/x86_64-linux-gnu/ld-2.19.so as an example) to use /etc/ld.so. instead, where is a 7-character-string, matching the length of “preload”."

So, basically, it needs write access to patch a string in ld.so so that it can hijack the preload functionality. Presumably it does this because a lot of distros will use SELinux to prevent access to /etc/ld.so.preload. The basic idea behind this isn't anything new but, it does seem like it does a number of things to prevent detection.

Re:How is this a "rootkit"?

It requires root permissions to install and affects anything that isn't statically linked to glibc, libpcap or a few other libs. Since it patches part of the dynloader, it may even affect those if the program links anything dynamically or tries to use dlopen() manually (such as when loading plugins).

What it doesn't bother doing is infecting the kernel itself. glibc and ld-linux.so contain all the hooks in userspace you'll ever need to match Windows-style kernel rootkits.

It sounds like you can only use this kit on an already seriously compromised system, where the attacker has full root access and SELinux isn't getting in the way.