Advarsel mod rootkit adware

posted in: Sikkerhed, virus m.v. | 0

Bitdefender har fundet og analyseret et rootkit, som de kalder Zacinlo. Et rootkit er en virus, der lægger sig så skjult i operativsystemet, at det som regel ikke kan findes ved traditionel virusscanning på en kørende PC. Man er nødt til at starte PCen op fra en USB-nøgle eller CD for at kunne undersøge alle filer uden at det sædvanlige operativsystem kører. Den slags har jeg skrevet mere om tidligere, bl.a. hvordan du selv kan lave sådan en offline virusscanner eller købe en USB nøgle for 200 kr hos InfoShare.

Zacinlo er en udspekuleret skiderik, der primært skaffer den kriminelle indtægter ved at gennemtvinge visning af annoncer, både synligt for brugeren, men også i baggrunden, så der genereres optælling af visninger, selv om der slet ikke er blevet vist noget. Men den indeholder også styring fra et ControlCenter, som modtager information om din PC og evt skærmbilleder af hvad du ser på og C&C kan bruges til at installere alle mulige andre programmer. Bitdefenders 100 sider lange rapport viser både hvor fantastisk stort et stykke programmeringsarbejde, der ligger i sådan en virus – og hvor stort et arbejde, det må være at finde ud af at bekæmpe den. Bitdefender har analyseret 2500 forekomster af Zacinlo, primært fundet i USA og alle installeret ved at brugeren har hentet og installeret noget som så ud til at være et gratis VPN program: S5mark.

Men desværre så kan der jo sagtens være mange andre forklædninger og denne udgave har ifølge Bitdefender været aktiv siden 2012 og mest aktiv i sidste halvdel af 2017. De fundne C&C er lukket ned, men der kan være mange andre “derude” og de er ikke så enkle at få ram på. InfoShares SysLogExaminer vil selvfølgelig kunne bruges til at afsløre det meste af den slags uautoriseret aktivitet, men også det kræver arbejde.

Her er en oversigt over de ting, som Bitdefender har fundet ud af at Zacinlo kan gøre – det forekommer mig, at der må være investeret masser af timer i udviklingen (så hvad siger det om den forventede indtjening):


· The presence of a rootkit driver that protects itself as well as its other components. It can stop processes deemed dangerous to the functionality of the adware while also protecting the adware from being stopped or deleted.
· The presence of man-in-the-browser capabilities that intercepts and decrypts SSL communications. This allows the adware to inject custom JavaScript code into webpages visited by the user.
· It features an adware cleanup routine used to remove potential „competition” in the adware space. This routine is rather generic and does not target a particular family or type of adware.
· The adware can uninstall and delete services based on the instruction it receives from the command and control infrastructure.
· It reports some information about the environment it is running in to the C&C. This information includes whether an antimalware solution is installed (and if so, which one), which applications are running at start-up and so on.
· It takes screen captures of the desktop and sends them to the command and control center for analysis. This functionality has a massive impact on privacy as these screen captures may contain sensitive information such as e-mail, instant messaging
or e-banking sessions.
· It can accomodate the installation of virtually any piece of software on the fly and thus extend its functionality.
· It features an automatic update mechanism.
· It redirects pages in browsers
· It adds or replaces advertisments while browsing by searching DOM objects by size, style, class or specific regular expressions
· Uses many platforms to pull advertising from advertising, including Google AdSense.
· Obsolete or expired ads can be easily replaced by new ones
· Silently renders webpages in the background in hidden windows and interracts with them as a normal user would: scrolling, clicking, keyboard input. This is typical behavior for advertising fraud that inflicts significant financial damage on online advertising platforms.
· Its extensive use of open-source projects and libraries (e.g: chromium, cryptopop, jsoncpp, libcef, libcurl, zlib, etc.)
· It uses Lua scripts to download several components (most likely as a way to fly under the radar of some antimalware solutions that detect suspicious downloads and block them as such)
· Extremely configurable and highly modular design that can expand functionality via scripts and configuration files made available via the command and control infrastructure