S5Mark is a ‘VPN’ that is actually a rootkit in disguise, BitDefender says

Credit: Bitdefender

While a form of the Zacinlo rootkit has been active for several years, BitDefender said Monday that it has adopted a more sinister appearance: as an anonymous “VPN” service, S5Mark, that worms its way into Windows 10 systems and can send screenshots of whatever you’re looking at to its control server.

While it’s not clear how many systems have been infected in the wild, Bitdefender says that the majority of Zacinlo systems that have been attacked have been in the United States, and running Windows 10. Check out PCWorld’s roundup of the best VPNs before downloading an untested version from a shady part of the web.

In a report (PDF), Bitdefender said that the platform has been active for several years, usually tagging along on freeware programs that might claim to improve the performance of your browser, for example. But the longevity of the malware has allowed its developers to quietly give it extraordinary powers over your PC, including:

  • “man-in-the-browser” capabilities that intercept and decrypt SSL communications, allowing it to inject custom Javascript into webpages the victim visits;
  • the ability to redirect pages within browsers, and quietly load other pages in hidden background windows;
  • inject its own ads;
  • the ability to take screenshots, then send them up to its command-and-control server;
  • the ability to detect and disable third-party antimalware solutions, including Windows Defender;
  • and the ability to conceal itself by copying encrypted versions of itself across your PC.

Zacinlo also contains sophisticated abilities to update itself and receive instructions from its command server to turn off services within your PC, Bitdefender said. The firm cited its “extremely configurable and highly modular design” that could be used to adapt Zacinlo in the future to something even more pernicious.