Pokémon-loving VXer targets Linux with 'Umbreon' rootkit

A Pokemon fan has brewed up a stealthy rootkit targeting Linux.

Trend Micro senior threat researcher Fernando Mercês says the ring three rootkit, named by its authors after the nocturnal Pokemon character Umbreon, can run on x86, x86-64 and Raspberry Pi, is difficult to detect, and highly portable.

"Its main purpose is to keep itself and other malware threats stealthed and totally hidden from administrators, analysts, users, scanning, forensic, and system tools," Mercês says.

"They may also open a backdoor and use a command and control server and provide an attacker ways to control and spy on the affected machine."

Mercês says Umbreon opens a Linux user serving as a non-promiscuous libpcap-based backdoor, named after the Espeon Pokemon, which spawns a shell on hacked boxes when attackers connect.

The module connects to attacker's machine functioning as a reverse shell to bypass firewalls.

Mercês has written a technical analysis on the rootkit, which he received from an unnamed partner. He says infected users can remove the rootkit using a Linux Live CD and detect it using a set of YARA rules. ®