Security researchers from Trend Micro obtained samples and performed a detailed analysis of the new Umbreon Linux rootkit that targets x86 and ARM computers.

Umbreon Is Efficient Against a Variety of Devices

The Umbreon rootkit is a fairy new malware that has been developed for Linux systems built on the x86 and ARM architectures. This makes embedded devices vulnerable as well, many Internet of Things (IoT) appliances are also affected. The development of the rootkit began in early 2015 however the detailed analysis has been published now.

The malware is installed manually on the victim devices or by the attackers themselves. It allows the criminals full remote control of the infected hosts.



Umbreon is classified as user-mode rootkit. This makes it a persistent threat that has stealth features, making it hard to detect by security software. The main purpose of the malware is to hide from users, forensic and system tools and system administrators. Such sophisticated rootkits have the ability to open backdoors and communicate with remote C&C servers. The data transfer may include instructions for executing commands or sensitive information uploads.

Umbreon can hook functions from main libraries that are used by applications to run important operations such as writing or reading files. The rootkit can potentially spy on the victim machine without obstruction. The extracted samples were demonstrated to run on x86, x86-64 and ARM architectures.

The actual code of the malware is written in C making it very portable and easy to port to other systems and architectures. Upon infection, the rootkit creates a valid Linux user that the criminals can utilize when using the backdoor. Access is made using the standard authentication methods such as PAM modules and the SSH protocol.

The crafted user has a special GID (group ID) that Umbreon checks when the attacker performs a login. The user cannot see the user entry in /etc/passwd as the libc function is hooked by the rookit.

The backdoor component itself is named Espeon, and it can capture all TCP traffic that reaches the main Ethernet interface of the victim system. When it receives a crafted packet by the criminal, it connects to the source IP. Three specific values have been identified: sequence number, Acknowledgment number, and IP identification.

Umbreon disguises itself from system administrators and tools by manipulating environment variables, hooking up to libcap functions and imitation of the glibc library.

How To Remove the Umbreon Linux Rootkit

It is possible to attempt removal of Umbreon as it is a user-mode malware. Boot the system using a Live CD and follow these instructions:

Mount the partition where the /usr directory is located; write privileges are required. Backup all the files before making any changes. Remove the file /etc/ld.so. . Remove the directory /usr/lib/libc.so. . Restore the attributes of the files /usr/share/libc.so. . .*.so and remove them as well. Patch the loader library to use /etc/ld.so.preload again.

Note that the file names vary as Umbreon generates them randomly. If you want to get acquainted with the detailed analysis, check Trend Micro’s blog post.