S5Mark is a 'VPN' that is actually a rootkit in disguise, BitDefender says

The best defense, as always, is constant vigilance against what you're downloading, and from where.

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

While a form of the Zacinlo rootkit has been active for several years, BitDefender said Monday that it has adopted a more sinister appearance: as an anonymous "VPN" service, S5Mark, that worms its way into Windows 10 systems and can send screenshots of whatever you're looking at to its control server.

While it's not clear how many systems have been infected in the wild, Bitdefender says that the majority of Zacinlo systems that have been attacked have been in the United States, and running Windows 10. Check out PCWorld's roundup of the best VPNs before downloading an untested version from a shady part of the web.

In a report (PDF), Bitdefender said that the platform has been active for several years, usually tagging along on freeware programs that might claim to improve the performance of your browser, for example. But the longevity of the malware has allowed its developers to quietly give it extraordinary powers over your PC, including:

  • "man-in-the-browser" capabilities that intercept and decrypt SSL communications, allowing it to inject custom Javascript into webpages the victim visits;
  • the ability to redirect pages within browsers, and quietly load other pages in hidden background windows;
  • inject its own ads;
  • the ability to take screenshots, then send them up to its command-and-control server;
  • the ability to detect and disable third-party antimalware solutions, including Windows Defender;
  • and the ability to conceal itself by copying encrypted versions of itself across your PC.

Zacinlo also contains sophisticated abilities to update itself and receive instructions from its command server to turn off services within your PC, Bitdefender said. The firm cited its "extremely configurable and highly modular design" that could be used to adapt Zacinlo in the future to something even more pernicious.

That's important, because Zacinlo appears to have evolved from a foundation of click fraud, where ads are injected and "interacted with" for the benefit of securing payments from online ad agencies. The behind-the-scenes ads that Zacinlo downloads can do exactly that. 

The fact that Zacinlo is now being distributed via the false S5Mark VPN, though, preys upon the user's belief that the product can be used to secure activities like online banking. Downloading the VPN (which does nothing, besides show a fake UI which appears to show an active VPN application) loads a "dropper" that begins quietly downloading and installing the rest of the malware.

Interestingly, BitDefender doesn't seem to be claiming that the company can block Zacinlo from being installed. (In case of an infection, however, the company says that you can kick off a system scan using Bitdefender's Rescue Mode to remove the rootkit and the adware components.) 

What you can do to stop it: The best defense, of course, is simply to take precautions about where you (or your kids!) download software from. "For more than a decade, adware has helped software creators earn money while bringing free applications to the masses," BitDefender senior e-threat analyst Bogdan Botezatu wrote. "Headliner games and applications have become widely available to computer and mobile users the world over, with no financial strings attached."

As Heinlein wrote, though, there ain't no such thing as a free lunch. Malware like Zacinlo may accompany otherwise "free" games and apps. 

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Shop Tech Products at Amazon