A rootkit aimed at Linux systems running on the x86, ARM and embedded platforms has been in development since last year and runs in user mode on an affected system, according to researchers at Trend Micro.
Yet, the rootkit, known as Umbreon after the Pokémon character, and described by researchers from the security firm, is difficult to remove because it intercepts calls by the standard C library (libc) used by Linux systems.
There is one positive factor: Umbreon needs to be manually installed on a victim's device after access has been gained by some other means.
Tools to detect it are also hampered by the same property as they are written in C and rely on libc.
{loadposition sam08}The developer of Umbreon has been active in the cybercriminal undergrounds for at least three years, Trend Micro said.
The researchers said executable code could run on a system in user mode (ring 3), kernel mode (ring 0), hypervisor (ring -1) and system management mode (ring -2).
Given that Umbreon runs in user mode, it does not install kernel objects on a system, but intercepts functions from core libraries that are used by programs as interfaces to system calls.
These system calls run operations such as reading and writing of files, spawning processes, or sending packets over a network.
The researchers wrote: "It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode."
They said they had been able to get the rootkit running on the x86, x86_64 and ARM platforms. "The rootkit is very portable because it does not rely on platform-specific code: it is written in pure C, except for some additional tools that are written in Python and Bash scripting."
When Umbreon is installed, it creates a valid user that an attacker can use, via a backdoor, to gain access to the affected system. This user has a special group ID that is checked by the rootkit to see if the attacker is trying to gain access.
When the affected system is accessed, it shows the login screen below.
The backdoor component of this rootkit has been dubbed Espeon, again the name of a Pokémon character, and it spawns a shell when the attacker establishes a connection. It can be instructed, through a specially crafted TCP packet, to connect to an attacker's machine providing a reverse shell to bypass a firewall.
Given that existing means of detecting rootkits on a Linux system will not work with Umbreon, the researchers said one way around this was to "develop a small tool to list the contents of the default Umbreon rootkit folder using Linux kernel syscalls directly".
They said they had developed YARA rules to detect Umbreon. YARA is a tool to aid researchers in identifying and classifying malware families. Descriptions of malware families are based on textual or binary information in samples.
The Trend Micro researchers have also provided instructions for removal of Umbreon.