Home Tags Rootkit

Tag: Rootkit

‘GhostHook’ Foils Windows 10 64-bit’s Kernel Protection

Microsoft says an attacker needs kernel-level access before they can use the 'GhostHook' technique to install a rootkit.

Merriam Webster updates tech word list—and you will believe which ones...

Includes "net neutrality" and "EpiPen"; still on the sidelines about how to say "GIF."

Threat Attribution: Misunderstood & Abused

Despite its many pitfalls, threat attribution remains an important part of any incident response plan. Here's why. Threat attribution is the process of identifying actors behind an attack, their sponsors, and their motivations.
It typically involves forensic analysis to find evidence, also known as indicators of compromise (IOCs), and derive intelligence from them. Obviously, a lack of evidence or too little of it will make attribution much more difficult, even speculative.

But the opposite is just as true, and one should not assume that an abundance of IOCs will translate into an easy path to attribution. Let’s take a simple fictional example to illustrate: François is the chief information security officer (CISO) at a large US electric company that has just suffered a breach.

François’ IT department has found a malicious rootkit on a server which, after careful examination, shows that it was compiled on a system that supported pinyin characters. In addition, the intrusion detection system (IDS) logs show that the attacker may have been using an IP address located in China to exfiltrate data.

The egress communications show connections to a server in Hong Kong that took place over a weekend with several archives containing blueprints for a new billion-dollar project getting leaked. The logical conclusion might be that François’ company was compromised by Chinese hackers stealing industrial secrets.

After all, strong evidence points in that direction and the motives make perfect sense, given many documented precedents. This is one of the issues with attribution in that evidence can be crafted in such a way that it points to a likely attacker, in order to hide the real perpetrator’s identity.

To continue with our example, the attacker was in fact another US company and direct competitor.

The rootkit was bought on an underground forum and the server used to exfiltrate data was vulnerable to a SQL injection, and had been taken over by the actual threat actor as a relay point. Another common problem leading to erroneous attribution is when the wrong IOCs have been collected or when they come with little context. How can leaders make a sound decision with flawed or limited information? Failing to properly attribute a threat to the right adversary can have moderate to more serious consequences.

Chasing down the wrong perpetrator can result in wasted resources, not to mention being blinded to the more pressing danger. But threat attribution is also a geopolitical tool where flawed IOCs can come in handy to make assumptions and have an acceptable motive to apply economic sanctions.

Alternatively, it can also be convenient to refute strong IOCs and a clear threat actor under the pretext that attribution is a useless exercise. Despite its numerous pitfalls, threat attribution remains an important part of any incident response plan.

The famous “know your enemy” quote from the ancient Chinese general Sun Tzu, is often cited when it comes to computer security to illustrate that defending against the unknown can be challenging.
IOCs can help us bridge that gap by telling us if attackers are simply opportunistic or are the ones you did not expect. More Insights

Find Out If Your Google Account Has Been Hacked

The Gooligan malware attack targeting Android devices has infected more than a million Google accounts and growing by 13,000 new users a day.
It affects devices running Android 4 (Jelly Bean, KitKat) and Android 5 (Lollipop), according to Check Point.G...

1 million Google accounts compromised by Android malware called Gooligan

Ron Amadeoreader comments 47 Share this story Researchers say they've uncovered a family of Android-based malware that has compromised more than 1 million Google accounts, hundreds of them associated with enterprise users. Gooligan, as researchers from security firm Check Point Software Technologies have dubbed the malware, has been found in at least 86 apps available in third-party marketplaces. Once installed, it uses a process known as rooting to gain highly privileged system access to devices running version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) of Google's Android operating system.

Together, the vulnerable versions account for about 74 percent of users. The rooted devices then download and install software that steals the authentication tokens that allow the phones to access the owner's Google-related accounts without having to enter a password.

The tokens work for a variety of Google properties, including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.
In a blog post published Wednesday morning, Check Point researchers wrote: The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device. Our research team has found infected apps on third-party app stores, but they could also be downloaded by Android users directly by tapping malicious links in phishing attack messages.

After an infected app is installed, it sends data about the device to the campaign’s Command and Control (C&C) server. Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153).

These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user.
If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely. After achieving root access, Gooligan downloads a new, malicious module from the C&C server and installs it on the infected device.

This module injects code into running Google Play or GMS (Google Mobile Services) to mimic user behavior so Gooligan can avoid detection, a technique first seen with the mobile malware HummingBad.

The module allows Gooligan to: Steal a user’s Google email account and authentication token information Install apps from Google Play and rate them to raise their reputation Install adware to generate revenue Ad servers, which don’t know whether an app using its service is malicious or not, send Gooligan the names of the apps to download from Google Play.

After an app is installed, the ad service pays the attacker.

Then the malware leaves a positive review and a high rating on Google Play using content it receives from the C&C server. Update: In a separate blog post also published Wednesday morning, Android security engineer Adrian Ludwig said he and other Google officials have worked closely with Check Point over the past few weeks to investigate Gooligan and to protect users against the threat it poses. He said there's no evidence data was accessed from compromised accounts or that individual users were targeted. He also said Google has been using a service called Verify Apps to scan individual handsets for signs of Gooligan and other Ghost Push apps. When detected, device owners receive a warning and installations are halted. "We’ve taken many actions to protect our users and improve the security of the Android ecosystem overall," Ludwig wrote. "These include: revoking affected users’ Google Account tokens, providing them with clear instructions to sign back in securely, removing apps related to this issue from affected devices, deploying enduring Verify Apps improvements to protect users from these apps in the future and collaborating with ISPs to eliminate this malware altogether." Gooligan is an aggressive variant of Ghost Push, a piece of Android malware that came to light in September 2015.

There's no indication that any of the fraudulent apps containing the new Gooligan code have ever been available in the official Google Play Market.

About 57 percent of devices infected by Gooligan are located in Asia, about 19 percent are in the Americas, about 15 percent are in Africa, and about 9 percent are in Europe. Android users who have downloaded apps from third-party markets can visit the Check Point blog post for a list of the 86 apps known to contain Gooligan.

Alternatively, users can visit this link to see if the Google account associated with their device has been compromised.
Infected phones can only be disinfected by reflashing them with a clean installation of Android. Passwords for the associated Google account should be changed immediately afterward. Post updated to reflect a change Check Point made to geographical infection figures.

Powerful backdoor/rootkit found preinstalled on 3 million Android phones

Enlargereader comments 37 Share this story Almost three million Android phones, many of them used by people in the US, are vulnerable to code-execution attacks that remotely seize full control of the devices, researchers said Thursday. Until recently, the flaw could have been exploited by anyone who took the time to obtain two Internet domains that remained unregistered despite being hardwired into the firmware that introduced the vulnerability. After discovering the vulnerability, researchers from security ratings firm BitSight Technologies registered the addresses and control them to this day. Even now, the failure of the buggy firmware to encrypt communications sent to a server located in China makes code-execution attacks possible when phones don't use virtual private networking software when connecting to public hotspots and other unsecured networks. Since BitSight and its subsidiary company Anubis Networks took possession of the two preconfigured domains, more than 2.8 million devices have attempted to connect in search of software that can be executed with unfettered "root" privileges, the researchers said. Had malicious parties obtained the addresses before BitSight did, the actors could have installed keyloggers, bugging software, and other malware that completely bypassed security protections built into the Android operating system. The almost three million devices remain vulnerable to so-called man-in-the-middle attacks because the firmware—which was developed by a Chinese company called Ragentek Group—doesn't encrypt the communications sent and received to phones and doesn't rely on code-signing to authenticate legitimate apps. Based on the IP addresses of the connecting devices, vulnerable phones hail from locations all over the world, with the US being the No. 1 affected country. "The thing that scares us is a lot of these users will be unaware of the vulnerability, and they will never get an update," BitSight CTO Stephen Boyer told Ars. "This is full system compromise. This is at the root level. [Attackers with a MitM position] can do anything." Kind of BLU In a blog post published Thursday, BitSight researchers said they went to a Best Buy store and purchased a BLU Studio G phone and were able to perform an attack that exploited the backdoor. As a result, they were able to install a file they named system_rw_test in /data/system/, a file location that's reserved for apps with all-powerful system privileges. The researchers provided the following screenshot: Enlarge BitSight Technologies By observing the data phones sent when connecting to the two previously unregistered domains, BitSight researchers have cataloged 55 known device models that are affected. The most affected manufacturer is US-based BLU Products, which accounted for about 26 percent, followed by multinational Infinix with 11 percent, Doogee with almost 8 percent, and Leagoo and Xolo with about 4 percent each. Slightly more than 47 percent of the phones that connected to the BitSight sinkhole gave no indication who their manufacturer was. A list of specific models can be found in this advisory from the Department of Homeland Security-sponsored CERT. Enlarge BitSight Technologies The IP addresses of the connecting devices were based in countries all over the world, with the US being the top one, BitSight researchers told Ars. Given the large number of connecting devices with unknown manufacturers, the list of affected devices is sure to grow in the coming weeks. People who are technically inclined can check if a phone is vulnerable by monitoring its network traffic and looking for outgoing connections to the following domains, which are hardwired into the Ragentek firmware: oyag[.]lhzbdvm[.]com oyag[.]prugskh[.]net oyag[.]prugskh[.]com People who are concerned their phone may run the firmware may also contact the manufacturer. So far, according to both BitSight and the CERT advisory, only BLU Products has released an update that addresses the vulnerability. It's not clear if it will be installed automatically or if users must manually apply it, and BitSight researchers have not yet tested the patch to evaluate its effectiveness. BLU Products representatives didn't respond to a message seeking comment for this post. Affected or potentially affected users who don't have an update can also protect themselves by connecting only to networks they trust or by using VPN software when connecting to hotspots and other unsecured Wi-Fi networks. Rootkit functionality Little is known about the Ragentek firmware. BitSight researchers said code in the firmware goes out of its way to conceal the presence of the underlying binary file. For example, it deliberately attempts to remain excluded from the list of running processes returned by the Linux PS command. "In this case, the developer added an exception when iterating over the system processes to explicitly skip over the affected binary (“debugs”), and thus not display it in the returned results," BitSight researcher Dan Dahlberg told Ars. "In other words, the programs were modified to pretend this binary did not exist." Dahlberg said the Ragentek firmware takes similar steps to evade the top command. Despite the suspicious behavior, BitSight researchers suspect the firmware is designed to deliver legitimate over-the-air updates to phones, and they believe the backdoor capabilities were unintentional. Attempts to reach Ragentek and other manufacturers weren't successful. The disclosure from BitSight is the second time this week researchers have warned of Android phones coming preinstalled with what amounts to a backdoor. On Tuesday, researchers from security firm Kryptowire reported that hundreds of thousands of handsets sent massive amounts of personal data about the phones and their users’ activities to servers operated by China-based Shanghai AdUps Technologies, the maker of another piece of malware. Taken together, the disclosures underscore a troubling lack of testing by the affected manufacturers and the blind trust consumers place in devices that are becoming increasingly central to their lives.

VU#624539: Ragentek Android OTA update mechanism vulnerable to MITM attack

Ragentek Android software contains an over-the-air update mechanism that communicates over an unencrypted channel,which can allow a remote attacker to execute arbitrary code with root privileges.

Loop of Confidence

With the arrival of Apple Pay and Samsung Pay in Russia, many are wondering just how secure these payment systems are, and how popular they are likely to become.

A number of experts have commented on this, basing their opinions on the common stereotypes of Android being insecure and the attacks which currently take place on wireless payments.
In our opinion however, these technologies require a more detailed examination and a separate evaluation of the threats they face. The conventional approach Traditional threats associated with the use of bank cards in ATMs and physical stores have already been studied and described in sufficient detail: the magnetic strip can be read using skimmers; modern versions of skimmers are advanced and very inconspicuous; to read EMV chips, dedicated skimmers have been designed that are planted into payment terminals; wireless payment systems (PayPass, PayWave) are potentially vulnerable to contactless, remote card reading attacks. However, the growth in popularity of mobile devices has given rise to a new type of wireless mobile payment: a regular card payment can now be emulated using the smartphone’s built-in NFC antenna.

The functionality is turned on at the request of the user, meaning there’s less risk than carrying around a card that’s constantly ready to make a payment.

Bank clients, in turn, don’t have to take out their wallets when making a payment, and don’t even have to carry their bank cards around with them. The technology for emulating cards on mobile devices (Host Card Emulation, HCE) may have been inexpensive and available to a broad range of device users starting from Android 4.4, but it had several drawbacks: the payment terminal had to support wireless payments; the eSE (embedded Secure Element) chip made the device more expensive, so initially it was incorporated into just a few top-of-the-range devices from major manufacturers; if the manufacturer decided to cut costs on secure data storage, important information ended up being stored by the operating system which could be attacked by malware with root privileges on the device. However, this didn’t go beyond a few proof-of-concept attacks, because there are plenty of other easier ways of attacking mobile banking systems; the developers attempted to mitigate the risks associated with storing important payment information on a mobile device, e.g. by using secure element in the cloud.

This made smartphone-assisted payments unavailable in locations with unstable mobile services; the risks associated with using software-based HCE storage made it highly advisable to introduce extra security measures into banking applications, making their development more complicated. As a result, for many large banks, as well as users, paying with the help of card emulation using a smartphone is little more than a quirky feature used for promos or simply to show off in public. New technologies The problems described above have given rise to a number of studies, including some by large international companies, in search of more advanced technologies.

The next step in the evolution of mobile payments was tokenized payment systems proposed by major market players – Apple, Samsung, and Google. Unlike card emulation on the device, these systems are based on exchanging tokens.

A token is a unique transaction ID; the card details are never sent to the payment terminal.

This addresses the problem of payment terminals being compromised by malware or skimmers. Unfortunately, this approach has the same problem: the technology has to be adopted and maintained by the manufacturer of the payment terminal. Several years ago, a startup project called LoopPay attempted to address this problem.

The developers proposed a kit consisting of a regular card reader for a 3.5 mm (1⁄8 in) audio jack and a phone case.

Their know-how was a patented technology for emulating a bank card magnetic strip using a signal generated by their dedicated device.
It has to be said that the creators took an early interest in secure data storage (on a dedicated device rather than on the phone) and protection from using the details of other people’s bank cards (personal data checked by comparing information about the user against information from the bank card’s Track 1 information). Later on, Samsung became interested in LoopPay and acquired the startup.

After some time, the Magnetic Secure Transmission (MST) technology became available, complementing Samsung Pay tokenized payments.

As a result, regular users can use their smartphones to make payments at payment terminals that support new wireless payment technologies and use MST at any type of terminal by just placing their device next to the magnetic strip reader. We have been monitoring this project closely, and can now safely say that this technology is, on the whole, a big step forward in terms of convenience and security, because its developers have addressed lots of relevant risks: secure element is used to reliably store data; activation of payment mode on the phone requires the user to enter a PIN code or use a fingerprint; on Samsung devices, a KNOX security solution and basic antivirus are pre-installed – these two block payment features when malware lands on the device; KNOX Tamper Switch – an object of hate among forum-based “experts” – protects against more serious rootkit malware. KNOX Tamper Switch is a software and hardware appliance that irreversibly blocks the device’s business and payment features during any privilege escalation attacks; payment functionality is only available from new devices for which security updates are available, and on which all vulnerabilities are quickly patched; on some of the Samsung smartphones sold in Russia, Kaspersky Internet Security for Android is pre-installed.

This provides extended protection from viruses and other mobile threats. It should be noted that Samsung Pay, when making payments, uses a virtual card whose number is not available to the user, rather than the actual banking card tied to the user’s account.

This method of payment works just fine when there is no Internet connection. New old threats There’s no doubt that the new technology has become an object of interest for security researchers. Potential attacks do exist for it and were presented at the latest BlackHat USA conference.

These attacks may still only be potential threats, but we should still stay alert.

Banks are just planning to introduce biometric authentication on ATMs in 2017, but cybercriminals are already collecting intelligence on which hardware manufacturers are involved, what sort of vulnerabilities exist in the hardware, etc.
In other words, the technology is not even available to the wider public yet, but cybercriminals are already searching for weaknesses. Cybercriminals are also studying Apple and Samsung’s technologies.

To makes things worse for Russian users, these technologies only arrive in the Russian market a year after they are launched in Western countries. Cybercriminals discussing the prospects of exploiting Apple Pay in Russia At the same time, cybersecurity researchers tend to forget about conventional fraud, which mobile vendors are completely unprepared for as they enter a new sphere of business. Wireless payments have made card fraudsters’ lives much easier both in terms of online trade and shopping in regular stores.

They no longer have to use a fake card with stolen card data recorded onto it, and thus run the risk of getting caught at the shop counter – now they can play it much safer by paying for merchandise with a stolen card attached to a top-of-the-range phone. Alternatively, a fraudster can simply buy merchandise and gift cards in an Apple Store.
In spite of all the security measures taken by Apple, the Apple Pay fraud rate in the US was 6% in 2015, or 60 times greater than the 0.1% bank card fraud. Samsung Pay also sacrificed some of the useful anti-fraud features for usability after it purchased the startup; one being that accounts be rigidly attached to the cardholder’s name.

For instance, I added my own bank card to my smartphone, and then added my colleague’s as well; in the original LoopPay solution, this was impossible. To conclude, it’s now safe to say that the new tokenized solutions are indeed more secure and convenient compared to their predecessors. However, there’s still plenty of room for improvement when it comes to security, and that’s very important for the future prospects of the technology.

After all, no one likes to lose money, be it banks or their clients.

Definitely not another Stuxnet, researchers claim as they demo industrial control...

Undetectable ghost in the controller Black Hat EU Security researchers have come up with another way to hack Programmable Logic Controllers (PLCs) at industrial plants. Ali Abbasi, a PhD student at the University of Twente, and Majid Hashemi, a research engineer at Quarkslab, have developed an attack that involves tweaking the PIN configuration of a system chip in order to manipulate the physical process a PLC controls. "The attack is feasible due to lack of hardware interrupt on the PLC's SoC and intensified by PIN Control subsystem inability for hardware level Pin Configuration detection," the researchers explained. During a presentation at the Black Hat EU conference last week, the duo showed how it was possible to use the approach to interfere with the on/off control of an LED to keep it permanently on while its associated controller thought it was blinking. Embedded controllers are used to control physical processes in power plants, factories and more so compromised devices present a significant security risk. The researchers also demonstrated how to circumvent current host-based detection mechanisms by avoiding typical function hooking or modifying kernel data structure. Their talk was entitled, Ghost in the PLC: Designing an Undetectable Programmable Logic Controller Rootkit. The duo hope their work will help lay the foundations for the design of more robust detection techniques specifically tailored for PLCs. Hashemi stated that the talk on rootkits and associated hack techniques against industrial control systems was "not about developing another Stuxnet" (the presumed US-Israeli cyber-weapon that physically hobbled high-speed centrifuges at an Iranian nuclear plant). For one, there are much easier ways to hack industrial control plants, according to Hashemi. "You see default passwords everywhere, even in critical systems," he said. Gabriel Gonzalez, principal security consultant at IOActive and an expert in SCADA security who attended the talk, said hackers would need to have secured control of a system in order to plant a rootkit and manipulate its operation in the way outlined by Abbasi and Hashemi. ® Sponsored: Customer Identity and Access Management

Infected Android phones could flood America’s 911 with DDoS attacks

One killer trojanised app or $100k of hardware is enough. A research trio has shown how thousands of malware-infected phones could launch automated distributed denial of service attacks to cripple the US emergency phone system "for days". The attacks are a new area of research and exploit the need for emergency call services to accept all calls regardless of origin. The theoretical attack uses malware to mask a phone's International Mobile Subscriber Identity (IMSI) showing only the International Mobile Station Equipment Identity (IMSEI) numbers which cloaks the origin of attacks and frustrates identification and blacklisting efforts. Negev Ben-Gurion University researchers Mordechai Guri, Yisroel Mirsky, and Yuval Elovici say the malware could place calls without alerting users. They say in the 911 DDoS: Threat, Analysis and Mitigation [PDF] that 6,000 infected smartphones in a local area would jam an emergency call system. The current United States Federal Communications Commission (FCC) regulations require that all emergency calls be immediately routed regardless of the caller’s identifiers," the researchers say. "A rootkit placed within the baseband firmware of a mobile phone can mask and randomise all cellular identifiers, causing the device to have no genuine identification within the cellular network. "Such anonymised phones can issue repeated emergency calls that cannot be blocked by the network or the emergency call centers, technically or legally." Half of all mobile phone emergency callers would give up when an army of 6,000 infected phones were jamming 911 public safety answering points (PSAPs).

This rises to 90 percent with 50,000 compromised handsets blasting the emergency line. A fleet of 200,000 infected handsets could jeopardise emergency services across the entire US. The hackers used a discrete event simulator (DES) and a handful of Samsung phones to test their work, noting that malware residing in a phone's baseband would push phones into a "no SIM" state, exposing only the IMEI number which is hard to track. The team suggests the attacks can be prevented by storing IMSI numbers in a phone's trusted memory region, such as Android Pay, preventing alteration. "We believe that the contributions of this paper will assist the respective organizations, lawmakers, and security professionals in understanding the scope of this issue and aid in the prevention of possible future attacks on the 911 emergency services," the authors conclude. ®

Stealthy, tricky-to-remove rootkit targets Linux systems on ARM and x86

Security researchers have identified a new family of Linux rootkits that, despite running from user mode, can be hard to detect and remove. Called Umbreon, after a Pokémon character that hides in the darkness, the rootkit has been in development since early 2015 and is now being sold on the underground markets.
It targets Linux-based systems on the x86, x86-64, and ARM architectures, including many embedded devices such as routers. According to malware researchers from antivirus firm Trend Micro, Umbreon is a so-called ring 3 rootkit, meaning that it runs from user mode and doesn't need kernel privileges.

Despite this apparent limitation, it is quite capable of hiding itself and persisting on the system. The rootkit uses a trick to hijack the standard C library (libc) functions without actually installing any kernel objects. Libc provides system call functions that other Linux programs can use for important operations like reading and writing files, spawning processes or sending network packets. Umbreon hijacks these functions and forces other Linux executables to use its own libc-like library.

This puts the rootkit in a man-in-the-middle position, capable of modifying system calls made by other programs and altering their output. The rootkit also creates a hidden Linux account that can be accessed via any authentication method supported by Linux, including SSH (Secure Shell).

This account does not appear in files like /etc/passwd because the rootkit can modify the output of such files when read, the Trend Micro researchers said in a blog post. Umbreon also has a backdoor component called Espeon, named after another Pokémon character, that can establish a reverse shell to an attacker's machine when a TCP packet with special field values are received on the monitored Ethernet interface of an affected device.

This means that attackers can open remote shells by simply sending a specially crafted packet to the infected device over the internet. It's hard to detect Umbreon using standard Linux tools, because most of them are written in C and rely on libc, whose output the rootkit hijacks, the Trend Micro researchers said. "One way is to develop a small tool to list the contents of the default Umbreon rootkit folder using Linux kernel syscalls directly." Removing the rootkit from an infected system can also be tricky, especially for inexperienced users and attempts to do so could render the system unusable, the researchers said. Trend Micro provided indicators of compromise in the form of file names and hashes, manual removal instructions and YARA detection rules for the new rootkit. It seems that the rootkit was designed for manual installation, which means that attackers install it on systems manually after compromising them through other vulnerabilities. While many desktop Linux systems receive automatic patches and are generally kept up to date by users, embedded devices like consumer routers and IP-based cameras are rarely updated. As a result, there are hundreds of thousands of embedded devices out there that are vulnerable to known exploits and are routinely infected with malware. Just last week, Web security firm Sucuri blocked a massive DDoS attack that originated from two botnets, one made up of infected CCTV cameras and one made up of hijacked home routers.

Pokémon-loving VXer targets Linux with ‘Umbreon’ rootkit

We told you Pokémon are evil, but no, you wouldn't listen A Pokemon fan has brewed up a stealthy rootkit targeting Linux. Trend Micro senior threat researcher Fernando Mercês says the ring three rootkit, named by its authors after the nocturnal Pokemon character Umbreon, can run on x86, x86-64 and Raspberry Pi, is difficult to detect, and highly portable. "Its main purpose is to keep itself and other malware threats stealthed and totally hidden from administrators, analysts, users, scanning, forensic, and system tools," Mercês says. "They may also open a backdoor and use a command and control server and provide an attacker ways to control and spy on the affected machine." Mercês says Umbreon opens a Linux user serving as a non-promiscuous libpcap-based backdoor, named after the Espeon Pokemon, which spawns a shell on hacked boxes when attackers connect. The module connects to attacker's machine functioning as a reverse shell to bypass firewalls. Mercês has written a technical analysis on the rootkit, which he received from an unnamed partner. He says infected users can remove the rootkit using a Linux Live CD and detect it using a set of YARA rules. ®