S5Mark is a 'VPN' that is actually a rootkit in disguise, BitDefender says

The best defense, as always, is constant vigilance against what you're downloading, and from where.

While a form of the Zacinlo rootkit has been active for several years, BitDefender said Monday that it has adopted a more sinister appearance: as an anonymous "VPN" service, S5Mark, that worms its way into Windows 10 systems and can send screenshots of whatever you're looking at to its control server.

While it's not clear how many systems have been infected in the wild, Bitdefender says that the majority of Zacinlo systems that have been attacked have been in the United States, and running Windows 10. Check out PCWorld's roundup of the best VPNs before downloading an untested version from a shady part of the web.

In a report (PDF), Bitdefender said that the platform has been active for several years, usually tagging along on freeware programs that might claim to improve the performance of your browser, for example. But the longevity of the malware has allowed its developers to quietly give it extraordinary powers over your PC, including:

  • "man-in-the-browser" capabilities that intercept and decrypt SSL communications, allowing it to inject custom Javascript into webpages the victim visits;
  • the ability to redirect pages within browsers, and quietly load other pages in hidden background windows;
  • inject its own ads;
  • the ability to take screenshots, then send them up to its command-and-control server;
  • the ability to detect and disable third-party antimalware solutions, including Windows Defender;
  • and the ability to conceal itself by copying encrypted versions of itself across your PC.

Zacinlo also contains sophisticated abilities to update itself and receive instructions from its command server to turn off services within your PC, Bitdefender said. The firm cited its "extremely configurable and highly modular design" that could be used to adapt Zacinlo in the future to something even more pernicious.

That's important, because Zacinlo appears to have evolved from a foundation of click fraud, where ads are injected and "interacted with" for the benefit of securing payments from online ad agencies. The behind-the-scenes ads that Zacinlo downloads can do exactly that. 

The fact that Zacinlo is now being distributed via the false S5Mark VPN, though, preys upon the user's belief that the product can be used to secure activities like online banking. Downloading the VPN (which does nothing, besides show a fake UI which appears to show an active VPN application) loads a "dropper" that begins quietly downloading and installing the rest of the malware.

Interestingly, BitDefender doesn't seem to be claiming that the company can block Zacinlo from being installed. (In case of an infection, however, the company says that you can kick off a system scan using Bitdefender's Rescue Mode to remove the rootkit and the adware components.) 

What you can do to stop it: The best defense, of course, is simply to take precautions about where you (or your kids!) download software from. "For more than a decade, adware has helped software creators earn money while bringing free applications to the masses," BitDefender senior e-threat analyst Bogdan Botezatu wrote. "Headliner games and applications have become widely available to computer and mobile users the world over, with no financial strings attached."

As Heinlein wrote, though, there ain't no such thing as a free lunch. Malware like Zacinlo may accompany otherwise "free" games and apps. 

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World (US online)
Show Comments





Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?