Linux rootkit, named for Pokémon's Umbreon, targets Linux

A new rootkit family, dubbed Umbreon after a character in the popular Pokémon game who hides in the night, has been detected targeting Linux users, according to a Monday post by Trend Micro researchers.

The rootkit, which Trend Micro notated as the ELF_UMBREON family, must be installed manually onto an affected device or server by the attacker. Once embedded, the interloper can take control. As with other malware, the rootkit is not easily detected by security tools or administrators.

Because the rootkit is largely written in C and does not rely on platform-specific code, the researchers managed to get Umbreon installed on three different platforms: x86, x86-64 and ARM (Raspberry Pi). Its design, the report said, was intended for these platforms.

"During installation, Umbreon creates a valid Linux user that the attacker can use with a backdoor into the affected system," the report said. "This backdoor account can be accessed via any authentication method supported by Linux via pluggable authentication modules (PAMs), including SSH."

To bypass firewalls, a further component, also named after a Pokémon character, Espeon, can be directed to link to an attacker machine, functioning as a reverse shell, and siphoning TCP traffic reaching the affected computer's primary Ethernet interface.

"This is an advanced and sophisticated malicious tool," Christopher Budd, global threat communications manager at Trend Micro, told SCMagazine.com on Tuesday. "The fact that it targets Linux like this shows how Linux is a pervasive part of the computing landscape these days."

The fact that this rootkit is portable and can run on multiple processor architectures – x86, x86-64 and ARM – shows how the portability of Linux can also translate to portability for Linux-based malware too, Budd added.