A description of the latest version of the Zacinlo malware sounds like a nightmare scenario for your security team. It’s rootkit malware that installs itself on the lowest levels of Windows where detection is extremely difficult to detect.
Even if it’s detected Zacinlo disables anti-virus and anti-malware packages so it can’t be quickly purged from the system. It also writes itself into the Windows registry so attempts to remove it by rebooting or even reinstalling Windows won’t get rid of it.
Once Zacinlo gets into your system, it uploads your system information to its command and control server which then commands it to remove anything that’s considered a threat. This will include any AV packages, but also anything that competes with its core adware mission as well as any other software that might interfere with its operation.
Once Zacinlo is in your system, it begins serving ads to your desktop that simply appear, and about which you can do nothing. Meanwhile, in the background it’s running a browser with no user interface, so it can quietly click on links you can’t see, which can be used for ad fraud, but also to install other malware.
Meanwhile, Zacinlo is quietly snapping screen captures and sending whatever is on your screen to its command and control server. While it’s sending data to its servers, the malware also has the ability to set up a man-in-the-middle operation in your computer, so it can siphon off things like logins and passwords as well as banking information. If that’s not enough, it can redirect browser requests, taking you to fake web pages.
Zacinlo has actually been around for a few years, but got little attention because it was hard to spot so victims frequently didn’t know they were infected. They just saw ads mysteriously appear. It also hadn’t morphed into malware. But now it was recently upgraded to specifically target Windows 10, where it hides deep down in the operating system.
Adam Kujawa, Director of Malware Intelligence at Malwarebytes says that his team has been keeping an eye on Zacinlo for a while now. He also said that it’s going to get worse.
“While currently the biggest example of adware with rootkit functionality, it is none the less going to be copied by other [malware developers] in the near future, based on what we’ve seen historically from adware creators taking each other’s ideas,” Kujawa said in an email to eWEEK.
He said that anti-malware and antivirus companies re putting increasing pressure on creators of adware and now malware. “As more and more security solution providers start acknowledging Potentially Unwanted Programs (PUPs) as things to detect and remove, many adware and PUP developers have had to consolidate efforts,” Kujawa said.
“This has led to an emergence of more dangerous and persistent adware that is more difficult for the user to remove. This in turn, has so far been used for things like pointing a browser to an advertisement owned by the criminal, which is a kind of ‘third-party’ revenue stream for the criminals, versus ransoming files or stealing credit card information.”
Kujawa said that Zacinlo needs to be taken seriously. “Despite it’s seemingly benign threat to users, Zacinlo and other similar threats, contain the ability to install additional malware on the system.”
Currently the best known means of transmitting the Zacinlo malware is as part of the payload for a fake VPN package. The package looks like a VPN client, but doesn’t actually do anything except install the malware. However, there are likely other means of spreading this malware beyond the fake VPN.
Once it’s installed in your system, Zacinlo is nearly impossible to detect, but fortunately, it takes a little while for that to happen. “Malwarebytes can detect and remove the adware (adware.5hex) threat once identified, however, this particular malware updates itself so frequently and keeps such a close eye on how security solutions are stopping it, that being able to ensure identification and removal of the rootkit at any time is difficult to promise, especially once the rootkit has been had time to ‘dig in’ to the system.”
The Symantec labs have also been investigating Zacinlo, and right now they’re holding off on providing details, but if it turns out that you have this malware (or other malware that’s difficult to remove) there is a solution.
“We are still investigating the samples to get a better understanding of the malware,” a spokesperson for Symantec said to eWEEK in an email. “While we haven’t confirmed for Zacinlo yet, a rootkit malware usually can’t survive a disk reformat and system reinstall,” the Symantec spokesperson said.
Users can also try a rescue tool like Norton Bootable Recovery Tool (NBRT) to detect and remove rootkit malware if the AV product is rendered unusable by the malware.
What this means is that a rootkit malware infection leaves you few options. You can possibly kill it with anti-malware if you find it as soon as it arrives on your system. Or you can reformat your hard disk and do a clean install of Windows. If you’ve backed up your data, this isn’t necessarily hard, it’s just time consuming. Just be aware that you can’t do a restore from a system image, because that image is probably going to have the malware, too.
Or, finally, you can run Symantec’s NBRT, which uses a form of Linux to boot up your system and then has software that will examine your disk for rootkit malware.
Of course this all may have been prevented by practicing good computer hygiene, and by making sure your firewall is set so that Zacinlo can’t communicate with its command and control servers. Blocking off its access to the outside world will also keep Zacinlo from getting started in the first place.