post about zscalerHEADmaster

1 files changed, 48 insertions, 0 deletions

diff --git a/zola/content/blog/zscaler-malware.md b/zola/content/blog/zscaler-malware.md
new file mode 100644
index 0000000..f74fcd0
--- /dev/null
+++ b/zola/content/blog/zscaler-malware.md
@@ -0,0 +1,48 @@
++++
+title = "Zscaler is a malware, avoid using it"
+description = "Zscaler Client Connector will spy everything you do"
+date = 2025-09-15
+authors = ["Nicolás Dato"]
+
+[taxonomies]
+Tags=["Privacy"]
++++
+
+*The price of liberty is eternal vigilance*
+
+*Don't use Zscaler Client Connector, avoid it. Zscaler is a malware.* This goes for both sides, the employees/clients and the company/server.
+
+If you are forced to use it *assume your computer is compromised and they are al least spying on you*. If you are the client/employee, and you are forced to use it, then run a VM exclusively to run Zscaler and assume the VM is compromised.
+
+Recently one of our costumers switched to Zscaler. I decided to research a bit about it and how it works, and this is what I found out.
+
+## How it works
+
+I had to use it, so I set up a Debian 12 VM using qemu and installed the client there. I had to use Debian 12 because the installer failed in Debian 13 (the latest one).
+
+The Zscaler Client Connector made the following configuration changes (as seen by `ip route`):
+
+- It created 1700 routes. Yes, literally. I don't know if this is an issue with the server configuration or with Zscaler
+- Some of those routes *redirect all traffic through their software* (redirect everything through the zcctun0 interface created by the Zscaler Client Connector)
+- The redirection of all traffic through zcctun0 (their software) is kept *even when you logout and the GUI says the Service Status is OFF*
+- If I close the software, the zcctun0 interface and the routes disappear
+
+I launched Wireshark and monitored the traffic:
+
+- If I try to see any website outside of the private network, Zscaler creates an [HTTP tunnel](https://en.wikipedia.org/wiki/HTTP_tunnel) though their servers, and *the traffic goes through their servers* instead of directly to the website
+- If I connect to a server using SSH outside of the private network, the packets first go through zcctun0 and then the normal interface. Like if the software sees the packets and decides that those should go though the normal interface directly to their original destination
+- *All of this still happens if you logout and the GUI says the service status is OFF*
+
+
+## Risks for the employee/client
+
+*You are being monitored.* The Zscaler Client Connector watches all traffic (by the zcctun0 interface) and decides what to do. It looks like the ssh connection outside their network goes directly to their destination, but the Zscaler software is watching it. However, *every website is being redirected through their servers.*
+
+It won't surprise me if government agencies are behind Zscaler to gather information and as a backdoor.
+
+## Risks for the company/server
+
+If you use Zscaler they are watching your server's traffic. Moreover, they are watching every other company that is using Zscaler. This means that there are more malicious people and more interest in breaching Zscaler than if you have your own VPN.
+
+Think it this way: maybe your company is not the target of malicious people, but there may be other big and more important companies that malicious people may want to target, and when they do breach Zscaler every company will be compromised, not only the targeted one.
+