It’s about time Pokemon is in the news again – this time, however, the plan is to collect all your data before you can find it.

A warning was just issued by Trend Micro concerning a new rootkit application targeted at Linux devices. It is named Umbreon which is a reference Pokemon players will get being that Umbreon is a creature that hides in the darkness in the Pokemon world.

Just like it’s namesake, Umbreon stays in the shadows. It creates a hidden user account after its first installation with which an attacker can gain access to a device via SSH.

This shady rootkit has been designed to attack a wide range of devices, having the ability to infiltrate Linux systems on x86, x86-64 and ARM architectures. It even goes as far as being able to be installed on embedded systems e.g. routers.

In a bulletin, Trend Micro warns that Umbreon is a ring 3 rootkit, defining ring3 as follows:

A ring 3 rootkit (or usermode rootkit) does not install kernel objects onto the system, but hooks functions from core libraries that are used by programs as interfaces to system calls that run important operations in a system such as reading/writing files, spawning processes, or sending packets over the network. It is perfectly possible to spy on and change the way things are done within an operating system, even from user mode.

Here, Umbreon masquerades itself as the glibc (GNU C Library), rewriting the loader library in order to certify that the rootkit libraries are accessed on every program call to the libraries in libc.

Umbreon  has been making waves on cybercriminal sites after being in development since 2015, although, its creator has been active since 2013.

According to Trend Micro, Umbreon rootkit has to be installed manually before any interaction with it to take control of a host device can be effected.

They added that inexperienced users might damage their devices if they try to remove it but it is possible to remove it.

Frequent patches that come to Linux desktops should keep them safe but loads of embedded systems are vulnerable to this rootkit – so be careful with how you used internet-linked devices.

We think this is a symptom that goes a long way to prove that as Linux becomes more popular rootkits like this are inevitable. Or maybe threats like this would have become a thing anyway. Drop your views in the comments below.

About The Author
Martins Okoi
Computer Science enthusiasts with a passion for learning new things. In my spare time, I listen to music, read like a compiler, and learn like an A.I algorithm.

Leave a Response