Story image

Bitdefender unravels the mystery of the Zacinlo adware

20 Jun 2018

Adware has been around for more than a decade, helping software creators make money as they deliver free apps to users. But now the line between adware and spyware has become increasingly fuzzy as confusing marketing, persistence mechanisms, and aggressive opt-outs become the new normal.

That’s according to Bitdefender, which looked at one particular ad fraud operation called Zacinlo. The Zacinlo malware, which Bitdefender classes as an advanced strain of spyware, has been operating covertly since 2012 and targeting users of free applications, as well as gamers.

“The adware components are silently installed by a downloader that is presented as a free and anonymous VPN service (s5Mark), distributed in an installer. s5Mark has a simple graphical interface used as a decoy for the intrusive unwanted behaviour taking place behind the scenes. Note that a non-technical user is led to believe that a VPN connection is established even though no such thing is even attempted,” Bitdefender explains.

The adware is able to open an invisible browser to load advertising banners, and simulate clicks from the user. It also switches ads users see on webpages for the attacker’s own ads, which means it collects advertising revenue.

Bitdefender says this type of rootkit-based malware is so rare that fewer than 1% of threats use it – and there’s no easy fix. The rootkit is able to install itself on most Windows operating systems, including Windows 10.

“We have identified at least 25 different components found in almost 2,500 distinct samples. While tracking the adware, we noticed some of the components were continuously updated with new functionalities, dropped altogether or integrated entirely in other components,” Bitdefender says in a white paper.

Zacinlo is able to detect targeted antimalware solutions and stop them from launching. Bitdefender’s own solutions, as well as those from Qihoo, Kingsoft, Malwarebytes, Symantec, Panda, HitmaPro, Avast, Avg, Microsoft, Kaspersky, Emsisoft, and Zemana are affected.

While most malware samples have been spotted in the USA, many have been found in the Philippines, Indonesia, India, China, France, Germany, and Brazil.

Bitdefender says there are several main features in Zacinlo that are of interest: firstly, it uses an adware cleanup routine used to remove potential competition in the adware space – which means it gets full exposure and ad revenue.

It is also able to take desktop screenshots that can be sent back to the attackers for analysis; decrypt SSL communications through man-in-the-browser attacks, and redirect pages in browsers.

Notably, the aware is able to mimic normal user behaviours such as scrolling, clicking and keyboard input through hidden webpages in the background.

“This is typical behaviour for advertising fraud that inflicts significant financial damage on online advertising platforms,” Bitdefender says in the white paper.

Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nozomi and RIoT to deliver advanced ICS security solutions to Australia
''As a specialised integrator of robust and resilient ICT and IoT solutions within Australia, we are delighted to be partnering with Nozomi Networks."
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
SIS announces a partnership with Platform 4
“We are looking forward to a strong future in the New Zealand security industry with this global giant as our strategic partner."
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”