sb-eu logo
Story image

Bitdefender unravels the mystery of the Zacinlo adware

20 Jun 2018

Adware has been around for more than a decade, helping software creators make money as they deliver free apps to users. But now the line between adware and spyware has become increasingly fuzzy as confusing marketing, persistence mechanisms, and aggressive opt-outs become the new normal.

That’s according to Bitdefender, which looked at one particular ad fraud operation called Zacinlo. The Zacinlo malware, which Bitdefender classes as an advanced strain of spyware, has been operating covertly since 2012 and targeting users of free applications, as well as gamers.

“The adware components are silently installed by a downloader that is presented as a free and anonymous VPN service (s5Mark), distributed in an installer. s5Mark has a simple graphical interface used as a decoy for the intrusive unwanted behaviour taking place behind the scenes. Note that a non-technical user is led to believe that a VPN connection is established even though no such thing is even attempted,” Bitdefender explains.

The adware is able to open an invisible browser to load advertising banners, and simulate clicks from the user. It also switches ads users see on webpages for the attacker’s own ads, which means it collects advertising revenue.

Bitdefender says this type of rootkit-based malware is so rare that fewer than 1% of threats use it – and there’s no easy fix. The rootkit is able to install itself on most Windows operating systems, including Windows 10.

“We have identified at least 25 different components found in almost 2,500 distinct samples. While tracking the adware, we noticed some of the components were continuously updated with new functionalities, dropped altogether or integrated entirely in other components,” Bitdefender says in a white paper.

Zacinlo is able to detect targeted antimalware solutions and stop them from launching. Bitdefender’s own solutions, as well as those from Qihoo, Kingsoft, Malwarebytes, Symantec, Panda, HitmaPro, Avast, Avg, Microsoft, Kaspersky, Emsisoft, and Zemana are affected.

While most malware samples have been spotted in the USA, many have been found in the Philippines, Indonesia, India, China, France, Germany, and Brazil.

Bitdefender says there are several main features in Zacinlo that are of interest: firstly, it uses an adware cleanup routine used to remove potential competition in the adware space – which means it gets full exposure and ad revenue.

It is also able to take desktop screenshots that can be sent back to the attackers for analysis; decrypt SSL communications through man-in-the-browser attacks, and redirect pages in browsers.

Notably, the aware is able to mimic normal user behaviours such as scrolling, clicking and keyboard input through hidden webpages in the background.

“This is typical behaviour for advertising fraud that inflicts significant financial damage on online advertising platforms,” Bitdefender says in the white paper.

Story image
COVID-19 related email threats pose huge risk in 2020
According to the company’s annual mid-year roundup report, Trend Micro blocked 8.8 million COVID-19 related threats, nearly 92% of which were email-based.More
Story image
Spending on managed security services in A/NZ to grow despite COVID headwinds
COVID-19 has changed security priorities significantly, and managed security services in A/NZ are set to benefit. More
Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More