S5­mark is a ‘VPN’ that is ac­tu­ally a rootkit in dis­guise, Bit­de­fender says

The best de­fense, as al­ways, is con­stant vig­i­lance against what you’re down­load­ing, and from where.

PCWorld (USA) - - News | Microsoft Updates Intellimouse - BY MARK HACHMAN

While a form of the Zacinlo rootkit has been ac­tive for sev­eral years, Bit­de­fender said in June that it has adopted a more sin­is­ter ap­pear­ance: as an anony­mous “VPN” ser­vice, S5­mark, that worms its way into Win­dows 10 sys­tems and can send screen­shots of what­ever you’re look­ing at to its con­trol server.

While it’s not clear how many sys­tems have been in­fected in the wild, Bit­de­fender says that the ma­jor­ity of Zacinlo sys­tems that have been at­tacked have been in the United States, and run­ning Win­dows 10. Check out Pc­world’s roundup of the best VPNS ( go.pc­world.com/ vp18) be­fore down­load­ing an untested ver­sion from a shady part of the web.

In a re­port (PDF; go.pc­world.com/adfr),

Bit­de­fender said that the plat­form has been ac­tive for sev­eral years, usu­ally tag­ging along on free­ware pro­grams that might claim to im­prove the per­for­mance of your browser, for ex­am­ple. But the longevity of the mal­ware has al­lowed its de­vel­op­ers to qui­etly give it ex­tra­or­di­nary pow­ers over your PC, in­clud­ing:

•“man-in-the-browser” ca­pa­bil­i­ties that in­ter­cept and de­crypt SSL com­mu­ni­ca­tions, al­low­ing it to in­ject cus­tom Javascript into web­pages the vic­tim vis­its;

• the abil­ity to re­di­rect pages within browsers, and qui­etly load other pages in hid­den back­ground win­dows;

• in­ject its own ads;

• the abil­ity to take screen­shots, then send them up to its com­mand-and-con­trol server;

• the abil­ity to de­tect and dis­able third­party an­ti­mal­ware so­lu­tions, in­clud­ing Win­dows De­fender;

• and the abil­ity to con­ceal it­self by copy­ing en­crypted ver­sions of it­self across your PC.

Zacinlo also con­tains so­phis­ti­cated abil­i­ties to up­date it­self and re­ceive in­struc­tions from its com­mand server to turn off ser­vices within your PC, Bit­de­fender said. The firm cited its “ex­tremely con­fig­urable and highly mod­u­lar de­sign” that could be used to adapt Zacinlo in the fu­ture to some­thing even more per­ni­cious.

That’s im­por­tant, be­cause Zacinlo ap­pears to have evolved from a foun­da­tion of click fraud, where ads are in­jected and “in­ter­acted with” for the ben­e­fit of se­cur­ing pay­ments from on­line ad agen­cies. The be­hind-thescenes ads that Zacinlo down­loads can do ex­actly that.

The fact that Zacinlo is now be­ing distributed via the false S5­mark VPN, though, preys upon the user’s be­lief that the prod­uct can be used to se­cure ac­tiv­i­ties like on­line bank­ing. Down­load­ing the VPN (which does noth­ing, be­sides show a fake UI which ap­pears to show an ac­tive VPN ap­pli­ca­tion) loads a “drop­per” that be­gins qui­etly down­load­ing and in­stalling the rest of the mal­ware.

In­ter­est­ingly, Bit­de­fender doesn’t seem to be claim­ing that the com­pany can block Zacinlo from be­ing in­stalled. (In case of an in­fec­tion, how­ever, the com­pany says that you can kick off a sys­tem scan us­ing Bit­de­fender’s Res­cue Mode to re­move the rootkit and the ad­ware com­po­nents.)

What you can do to stop it: The best de­fense, of course, is sim­ply to take pre­cau­tions about where you (or your kids!) down­load soft­ware from. “For more than a decade, ad­ware has helped soft­ware cre­ators earn money while bring­ing free ap­pli­ca­tions to the masses,” Bit­de­fender se­nior e-threat an­a­lyst Bog­dan Botezatu wrote. “Head­liner games and ap­pli­ca­tions have be­come widely avail­able to com­puter and mo­bile users the world over, with no fi­nan­cial strings at­tached.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.