Obtained the following from a Trends Micro blog
How to detect Umbreon
Most of the tools you will find in Linux are written in C. Even programs written in Perl, Python, Ruby, PHP and other scripting languages end up calling GNU C Library wrappers as their interpreters are also written in C. Because Umbreon library hooks glibc functions, creating a reliable tool to detect Umbreon would require a tool that doesn’t use glibc.
One way is to develop a small tool to list the contents of the default Umbreon rootkit folder using Linux kernel syscalls directly. This bypasses any malicious C library installed by Umbreon. If the output contains one or more files with names starting with libc.so followed by a random integer, this is the red flag that suggests Umbreon is installed in the machine.
We have also created YARA rules that detect Umbreon, which can be downloaded here.
Umbreon is a ring 3 (user level) rootkit, so it is possible to remove it. However, it may be tricky and inexperienced users may break the system and put it into an unrecoverable state. If you are brave enough to proceed, the easiest way is to boot the affected machine with Linux LiveCD and follow the steps:
Mount the partition where the /usr directory is located; write privileges are required.
Backup all the files before making any changes.
Remove the file /etc/ld.so.<random>.
Remove the directory /usr/lib/libc.so.<random>.
Restore the attributes of the files /usr/share/libc.so.<random>.<arch>.*.so and remove them as well.
Patch the loader library to use /etc/ld.so.preload again.
Umount the partition and reboot the system normally.
Full blog page’s here