Pokemon Themed ‘Umbreon’ Rootkit Hides In Linux Systems

Trend Micro cyber security researchers have uncovered a Pokemon themed malicious rootkit that targets Linux systems, including embedded systems such as Raspberry Pi.

The rootkit, called Umbreon after a Pokemon character that conceals itself in the night, is difficult to detect because it modifies the outputs of common system commands to remove traces of its existence, according to researchers.

Invisible

“It effectively functions as an in-the-middle attack, modifying both the input and output of system functions,” wrote Trend Micro researcher Fernando Mercês in an advisory. “Users cannot trust the outputs of system commands like ps, ls, top, and pstree (among others).”

Umbreon acts as a library that imitates glibc, Linux’s C library, meaning that only tools that don’t use glibc can detect it, Mercês said.

The rootkit installs a user account which it keeps invisible and which can be accessed by the attacker to pass commands to the system.

The backdoor component that listens for the attacker’s commands is called Espeon, after a Pokemon character with pronounced ears, Trend said.

The firm noted Umbreon is very portable, running on x86, x86-64 and ARM mobile chips, such as those that power Raspberry Pi, due to the fact that it is written in pure C and does not rely on platform-specific code.

Hard to remove

Mercês said Trend has created two tools that can help detect Umbreon, as well as instructions on removing it.

He said because the rootkit operates only at the user level, and doesn’t install root-level components, it is possible to remove it, but doing so may nevertheless be difficult.

“It may be tricky and inexperienced users may break the system and put it into an unrecoverable state,” he wrote.

The popularity of the recent Pokemon GO mobile game has led to the distribution of hundreds of malicious apps that imitate the appearance of the game in order to take over devices.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

SEC Probe Reopens Probe Into Musk’s Neuralink – Report

One of Elon Musk's least favourite federal agencies, the SEC, is reportedly re-opening investigation into…

27 mins ago

Intel Interim CEOs Hint At Selling Foundry Business

After Pat Geslinger ousting, Intel's interim CEOs admit firm may be forced to sell Foundry…

3 hours ago

Mozilla Drops ‘Do Not Track’ For Upcoming Firefox Browser

The forthcoming Firefox 13.5 will not include a 'do not track' option, as the opt-out…

4 hours ago

UN Body To Protect Subsea Cables Holds First Meeting

United Nations body to protect undersea communications cables that are crucial for international trade and…

21 hours ago

Meta Donates $1 Million To Donald Trump Inauguration Fund

Weeks after CEO Mark Zuckerberg met with Donald Trump privately at Mar-a-Lago, comes news of…

22 hours ago

US To Raise Tariffs On Chinese Solar Wafers, Polysilicon, Tungsten

Protecting American clean energy businesses. Biden administration plans to raise tariffs on certain Chinese products

23 hours ago