back to article Pokémon-loving VXer targets Linux with 'Umbreon' rootkit

A Pokemon fan has brewed up a stealthy rootkit targeting Linux. Trend Micro senior threat researcher Fernando Mercês says the ring three rootkit, named by its authors after the nocturnal Pokemon character Umbreon, can run on x86, x86-64 and Raspberry Pi, is difficult to detect, and highly portable. "Its main purpose is to …

  1. David Austin

    Gotta Catch 'Em All!

    Hand me my Master Ball - this looks like a tricky blighter to catch.

  2. Chemist

    More info

    From Softpedia :

    "The good news is that Umbreon's installation is not automated, and attackers need to break into a system first, and then manually install the rootkit on the hacked device."

    http://news.softpedia.com/news/pokemon-themed-umbreon-rootkit-targets-linux-x86-and-arm-platforms-507970.shtml

    1. This post has been deleted by its author

  3. HAL-9000

    Click bait

    Ohhhh Nooohhhh, I've been had again. Potentially earth shatteringly important, neh must read article turns into damp squib when you fully realise the non-story it is, ring 3? really? What does it do mess with your twatter settings. Does any one care to estimate how many root kits are floating around torrent space in the pirate sphere, obviously engineered for a different OS but automagically installed with the dodgy left handed movie its packaged with ;)

  4. CAPS LOCK Silver badge

    So, let me get this straight, once a Linux server is hacked, it can have this installed?

    Is that it?

    1. asdf Silver badge

      Re: So, let me get this straight, once a Linux server is hacked, it can have this installed?

      Cue rkhunter detection support in 3-2-1

  5. Pascal Monett Silver badge
    FAIL

    "Umbreon is manually installed onto an affected device or server by the attacker."

    Having just started getting acquainted with Mint, I was very interested in this report.

    I stopped reading at that sentence.

    Physical access, etc etc, we all know the drill.

    1. asdf Silver badge

      Re: "Umbreon is manually installed onto an affected device or server by the attacker."

      >Physical access, etc etc, we all know the drill.

      Well considering how many people don't disable WPS (or can't in a lot of factory firmware) on their routers just being in the same area or neighbourhood carries dangers. Granted still a lot better than attacked worldwide from the internet though.

      1. bombastic bob Silver badge
        Devil

        Re: "Umbreon is manually installed onto an affected device or server by the attacker."

        here's a scenario that's likely:

        a) an RPi user doesn't change the default pi:pi user:pass after installing Raspbian. keep in mind, ssh is enabled AND sudo works on ALL commands

        b) the RPi is configured for IPv6, meaning it's IPv6 address is NOW! PUBLICALLY! VISIBLE! TO! ANYONE! WHO! CAN! GET! IT!! (that includes ssh, pretty sure, but I'd have to double-check sshd_config to make sure it's listening)

        c) because the PW wasn't changed, a click-bait web site COULD detect an RPi accessing it, and back-crack the system nearly instantaneously, and install this thing.

        SOLUTION:

        a) immediately change pi:pi to something else (or disable the 'pi' login entirely)

        b) disable ssh access via IPv6 unless you REALLY REALLY need it

        c) configure your firewall and sshd and sudo settings properly

        d) require su to root [with a cryptic password] for MOST things, i.e. stop using the 'sudoers' group and being lazy about it.

        RPi works well as a headless system so you probably don't want to disable ssh, but you want to make sure it' SECURE shell, not "pseudo-secure shell with a brain-damaged insecure config'

  6. James Hughes 1

    You would be surprised at the number of people using RPi's who expose them to the net and leave the default username and password....

    On the other hand, it easy to reimage an SD card once infected.

    1. bombastic bob Silver badge

      "You would be surprised at the number of people using RPi's who expose them to the net and leave the default username and password...."

      not really. Your typical 'maker' types are more interested in building cool electronics and making their pi do a dance or flash LEDs and basically know _nothing_ about IT/ security.

      At least they're not using Win-10-nic and/or ".Not" on some overpriced intel solution...

      (then again, a rumor has it that Win-10-nic has a version for RPi. now I need 'pink liquid' for the nausea that this mental image just caused)

      rumor... read: "yes I saw an El Reg article about it, but I'm trying to forget it exists"

  7. Lord_Beavis
    FAIL

    *YAWN*

    MS Fanboi's will latch on to any scrap of disparage they can.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019