Umbreon - anyone know anything about it?


(Peter Wulfing) #1

This rather disturbing article appeared yesterday. http://www.csoonline.com/article/3116811/security/stealthy-tricky-to-remove-rootkit-targets-linux-systems-on-arm-and-x86.html?nsdr=true

TL;DR— The article describes a new Linux rootkit which runs in usermode. This implies that it modifies standard calls to hide its files from a user running on itself. But, can it be detected by scanning the files from the “high ground” of a protected OS? IOW, could one boot the machine to a flash drive and use this known clean OS to detect the files it modifies? Which files would be affected? Anyone know about this?


(Edwin Eekelaers) #2

@NeoTX

Obtained the following from a Trends Micro blog

How to detect Umbreon

Most of the tools you will find in Linux are written in C. Even programs written in Perl, Python, Ruby, PHP and other scripting languages end up calling GNU C Library wrappers as their interpreters are also written in C. Because Umbreon library hooks glibc functions, creating a reliable tool to detect Umbreon would require a tool that doesn’t use glibc.

One way is to develop a small tool to list the contents of the default Umbreon rootkit folder using Linux kernel syscalls directly. This bypasses any malicious C library installed by Umbreon. If the output contains one or more files with names starting with libc.so followed by a random integer, this is the red flag that suggests Umbreon is installed in the machine.

We have also created YARA rules that detect Umbreon, which can be downloaded here.

Removal Instructions

Umbreon is a ring 3 (user level) rootkit, so it is possible to remove it. However, it may be tricky and inexperienced users may break the system and put it into an unrecoverable state. If you are brave enough to proceed, the easiest way is to boot the affected machine with Linux LiveCD and follow the steps:

Mount the partition where the /usr directory is located; write privileges are required.
Backup all the files before making any changes.
Remove the file /etc/ld.so.<random>.
Remove the directory /usr/lib/libc.so.<random>.
Restore the attributes of the files /usr/share/libc.so.<random>.<arch>.*.so and remove them as well.
Patch the loader library to use /etc/ld.so.preload again.
Umount the partition and reboot the system normally.

Full blog page’s here


(Edwin Eekelaers) #3

Other sites say you can remove it with a Linux Live CD and a set of Yara rules. Now i have nill experience with Linux so you are on your own to find information about that.

The site to read about Yara Rules is here