Pokemon is still in the spotlight, but this time not because of the popular application developed by Niantic for iOS and Android .
Trend Micro, the world leader in Internet data protection and cloud security, has detected a few days ago a new rootkit that targets Linux-based devices. The rootkit is able to strike 32 bits or 64 bits systems based on both Intel or ARM processors. Even embedded systems (such as routers) are at risk.
The name of the rootkit is Umbreon, in the video game Umbreon is a Pokemon that is hiding in the shadows, hence the name of the virus.
After infiltrating your PC Umbreon creates a user account that hackers uses to access the device via SSH. The picture below shows the welcome screen shown when this backdoor account is accessed via SSH:
Trend Micro has flagged Umbreon as a ring 3 rootkit which means it doesn’t touch the kernel, but it acts at the user level and its able to spy on everything you do with your PC. It’s also able to intercept the most important system calls (read, write) of the operating system.
Umbreon is entirely written in C and it replaces the glibc (GNU C library), it loads the fake libraries instead of the original ones. Therefore, it’s only detectable by software that is not based on libc.
The Espeon backdoor
Espeon, another Pokemon name is a backdoor used by malicious people to access the systems infected with Umbreon. Espeon spawns a shell when an authenticated user connects to it and it can be configured to establish a connection to an attacker machine, running as a reverse shell to bybass firewalls.
Umbreon is a ring 3 (user level) rootkit, so it is possible to remove it. However, it may be tricky and inexperienced users may break the system and put it into an unrecoverable state. If you are brave enough to proceed, the easiest way is to boot the affected machine with Linux LiveCD and follow the steps:
1. Mount the partition where the /usr directory is located; write privileges are required.
2. Backup all the files before making any changes.
3. Remove the file /etc/ld.so.
4. Remove the directory /usr/lib/libc.so.
5. Restore the attributes of the files /usr/share/libc.so.
6. Patch the loader library to use /etc/ld.so.preload again.
7. Umount the partition and reboot the system normally.
Here is a real-life example (please notice file names will vary as they are randomly chosen by the malware). In the following case, /dev/sda1 is the partition containing the /usr directory.
# mount /dev/sda1 /mnt
# rm -f /mnt/etc/ld.so.khVrkEQ
# rm -rf /mnt/usr/lib/libc.so.41762810374176281037/
# chattr -ai /mnt/usr/share/libc.so.4176281037.*
# rm -f /mnt/usr/share/libc.so.4176281037.*
# sed -i ‘s:/etc/ld\.so\.khVrkEQ:/etc/ld.so.preload:’ /lib/x86_64-linux-gnu/ld-2.19.so
# umount /mnt