
Zacinlo adware affecting Windows 10 Users - vezycash
https://www.bleepingcomputer.com/news/security/rootkit-based-adware-wreaks-havoc-among-windows-10-users-in-the-us/
======
jen729w
"The adware components are silently installed by a downloader that is
presented as a free and anonymous VPN service (s5Mark),"...

Err. Can we blame Windows if a user installs software?!

~~~
talltimtom
True, users actually installing software on their computers is extremely rare
and well outside the scope of intended use for windows. It’s surprising even
that Microsoft made it possible at all to do such a poweruser task on a
regular computer.

~~~
chii
If you invited a stranger into your home, is it any surprise that they might
steal and burgle?

The user has to have some level of technical knowledge and personal
responsibility in keeping their machines clean. Downloading random VPN
software that is free seems like such a dangerous thing to do. If the user
doesn't understand this, they haven't really learnt how to computer properly.

~~~
adrianN
Developers curl | bash all the time to install stuff without first checking
that what they download is what they want. Why should we demand more care from
less technical users?

~~~
smichel17
curl | bash can't install something that persists across reinstalls (unless
I've sudo'd recently, which I admit is possible).

The problem with the desktop security model is the controls are ridiculously
course-grained.

~~~
adrianN
Even if the script doesn't just contain a sudo (which they often do), you're
still just one local exploit away from installing a rootkit. I don't think
they're that hard to come by.

------
Maarten88
"... persistence across OS reinstalls [...] even effective against Windows 10
installations..."

Since Windows 8 I have always enabled safeboot in the UEFI settings before
installing the OS. Machines with pre-installled Windows usually come with this
setting enabled by default. I would expect this type of malware would not run
on machines with safeboot, or cause a BSOD on the next startup.

The article doesn't say anything about this, does it require an unlocked
bootloader, does it silently fallback when it detects safeboot, or does it
have a by-pass?

~~~
rocqua
I really found this part of the article lacking. How deep does the rootkit go
to persist across OS reinstalls?

Does it simply hijack windows's restore functionality? Or does it write itself
to firmware to essentially become baked into the hardware.

~~~
nisa
This seems to be source for the article:
[https://labs.bitdefender.com/2018/06/six-years-and-
counting-...](https://labs.bitdefender.com/2018/06/six-years-and-counting-
inside-the-complex-zacinlo-ad-fraud-operation/) (there is a PDF linked), no
mention of surviving a format or clean reinstall.

------
orliesaurus
I am not sure why they didn't point out what was this "free VPN" software that
came loaded with the rootkit? Let's assume I did download a free VPN in the
past (full disclosure: I DIDNT) how would I know if I am affected?

EDIT: They did - never mind the above, I totally missed it I need to upgrade
my glasses - thanks for pointing it out!

~~~
prophesi
Erm, they did?

>"The adware components are silently installed by a downloader that is
presented as a free and anonymous VPN service (s5Mark)," Bitdefender experts
wrote in a 104-page report detailing Zacinlo's modus operandi and all of its
modules released today.

~~~
orliesaurus
Thank you, I totally missed it!

