Sality

Last updated

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Contents

Aliases

The majority of Antivirus (A/V) vendors use the following naming conventions when referring to this family of malware:

Overview

Sality is a family of polymorphic file infectors, which target Windows executable files with the extensions .EXE or .SCR. [1] Sality utilizes polymorphic and entry-point obscuring (EPO) techniques to infect files using the following methods: not changing the entry point address of the host, and replacing the original host code at the entry point of the executable with a variable stub to redirect execution to the polymorphic viral code, which has been inserted in the last section of the host file; [2] [3] the stub decrypts and executes a secondary region, known as the loader; finally, the loader runs in a separate thread within the infected process to eventually load the Sality payload. [2]

Sality may execute a malicious payload that deletes files with certain extensions and/or beginning with specific strings, terminates security-related processes and services, searches a user's address book for e-mail addresses to send spam messages, [4] and contacts a remote host. Sality may also download additional executable files to install other malware, and for the purpose of propagating pay per install applications. Sality may contain Trojan components; some variants may have the ability to steal sensitive personal or financial data (i.e. information stealers), [5] generate and relay spam, relay traffic via HTTP proxies, infect web sites, achieve distributed computing tasks such as password cracking, as well as other capabilities. [2]

Sality's downloader mechanism downloads and executes additional malware as listed in the URLs received using the peer-to-peer component. The distributed malware may share the same “code signature” as the Sality payload, which may provide attribution to one group and/or that they share a large portion of the code. The additional malware typically communicates with and reports to central command and control (C&C) servers located throughout the world. According to Symantec, the "combination of file infection mechanism and the fully decentralized peer-to-peer network [...] make Sality one of the most effective and resilient malware in today's threat landscape." [2]

Two versions of the botnet are currently active, versions 3 and 4. The malware circulated on those botnets are digitally signed by the attackers to prevent hostile takeover. In recent years, Sality has also included the use of rootkit techniques to maintain persistence on compromised systems and evade host-based detections, such as anti-virus software. [6]

The top countries affected by the botnet were India, Vietnam and Morocco. [7]

Installation

Sality infects files in the affected computer. Most variants use a DLL that is dropped once in each computer. The DLL file is written to disk in two forms, for example:

The DLL file contains the bulk of the virus code. The file with the extension ".dl_" is the compressed copy. Recent variants of Sality, such as Virus:Win32-Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder %SYSTEM%\drivers. Other malware may also drop Sality in the computer. For example, a Sality variant detected as Virus:Win32-Sality.AU is dropped by Worm:Win32-Sality.AU. [1] Some variants of Sality, may also include a rootkit by creating a device with the name Device\amsint32 or \DosDevices\amsint32. [6]

Method of propagation

File infection

Sality usually targets all files in drive C: that have .SCR or .EXE file extensions, beginning with the root folder. Infected files increase in size by a varying amount.

The virus also targets applications that run at each Windows start and frequently used applications, referenced by the following registry keys:

Sality avoids infecting particular files, in order to remain hidden in the computer:

Removable drives and network shares

Some variants of Sality can infect legitimate files, which are then moved to available removable drives and network shares by enumerating all network share folders and resources of the local computer and all files in drive C: (beginning with the root folder). It infects the files it finds by adding a new code section to the host and inserting its malicious code into the newly added section. If a legitimate file exists, the malware will copy the file to the Temporary Files folder and then infect the file. The resulting infected file is then moved to the root of all available removable drives and network shares as any of the following:

The Sality variant also creates an "autorun.inf" file in the root of all these drives that points to the virus copy. When a drive is accessed from a computer supporting the AutoRun feature, the virus is then launched automatically. [1] Some Sality variants may also drop a file with a .tmp file extension to the discovered network shares and resources as well as drop a .LNK file to run the dropped virus. [8]

Payload

Recovery

Microsoft has identified dozens of files which are all commonly associated with the malware. [1] [4] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [21] [22] [23] [24] [25] [26] [27] Sality uses stealth measures to maintain persistence on a system; thus, users may need to boot to a trusted environment in order to remove it. Sality may also make configuration changes such as to the Windows Registry, which makes it difficult to download, install and/or update virus protection. Also, since many variants of Sality attempt to propagate to available removable/remote drives and network shares, it is important to ensure the recovery process thoroughly detects and removes the malware from any and all known/possible locations.

See also

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Win32/Simile is a metamorphic computer virus written in assembly language for Microsoft Windows. The virus was released in its most recent version in early March 2002. It was written by the virus writer "Mental Driller". Some of his previous viruses, such as Win95/Drill, have proved very challenging to detect.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

<span class="mw-page-title-main">Conficker</span> Computer worm

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups. The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.

Win32/Patched is a computer Trojan targeting the Microsoft Windows operating system that was first detected in October 2008. Files detected as "Trojan.Win32.Patched" are usually Windows components that are patched by a malicious application. The purpose of patching varies. For example, certain malware patches system components in order to disable security, such as the Windows Safe File Check feature. Other malware can add parts of its code to a system component and then patch certain functions of the original file to point to an appended code.

Dexter is a computer virus or point of sale malware which infects computers running Microsoft Windows and was discovered by IT security firm Seculert, in December 2012. It infects PoS systems worldwide and steals sensitive information such as credit and debit card information.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

AFX Windows Rootkit 2003 is a user mode rootkit that hides files, processes and registry.

<span class="mw-page-title-main">Fakesysdef</span> Trojan targeting the Microsoft Windows operating system

Trojan:Win32/FakeSysdef, originally dispersed as an application called "HDD Defragmenter" hence the name "FakeSysdef" or "Fake System Defragmenter", is a Trojan targeting the Microsoft Windows operating system that was first documented in late 2010.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

BlackEnergy Malware was first reported in 2007 as an HTTP-based toolkit that generated bots to execute distributed denial of service attacks. In 2010, BlackEnergy 2 emerged with capabilities beyond DDoS. In 2014, BlackEnergy 3 came equipped with a variety of plug-ins. A Russian-based group known as Sandworm is attributed with using BlackEnergy targeted attacks. The attack is distributed via a Word document or PowerPoint attachment in an email, luring victims into clicking the seemingly legitimate file.

References

  1. 1 2 3 4 5 6 7 8 9 10 11 12 13 Microsoft Malware Protection Center (2010-08-07). "Win32-Sality". Microsoft. Archived from the original on 2013-09-17. Retrieved 2012-04-22.
  2. 1 2 3 4 5 6 7 8 Nicolas Falliere (2011-08-03). "Sality: Story of a Peer-to-Peer Viral Network" (PDF). Symantec. Retrieved 2012-01-12.
  3. 1 2 3 4 5 Angela Thigpen and Eric Chien (2010-05-20). "W32.Sality". Symantec. Archived from the original on 2013-10-05. Retrieved 2012-04-22.
  4. 1 2 3 4 5 Microsoft Malware Protection Center (2009-05-29). "Win32-Sality.A". Microsoft. Retrieved 2012-04-22.
  5. 1 2 FireEye, Inc (2012-02-14). "FireEye Advanced Threat Report - 2H 2011" (PDF). FireEye. Archived from the original (PDF) on 2012-05-22. Retrieved 2012-04-22.
  6. 1 2 3 Artem I. Baranov (2013-01-15). "Sality Rootkit Analysis". Archived from the original on 2013-08-10. Retrieved 2013-01-19.
  7. "Kaspersky Threats — Sality". threats.kaspersky.com.
  8. 1 2 3 4 5 6 Microsoft Malware Protection Center (2010-07-30). "Worm:Win32-Sality.AU". Microsoft. Archived from the original on 2013-09-27. Retrieved 2012-04-22.
  9. 1 2 3 4 5 Microsoft Malware Protection Center (2010-04-28). "Virus:Win32-Sality.G.dll". Microsoft. Retrieved 2012-04-22.
  10. 1 2 3 4 5 Microsoft Malware Protection Center (2010-06-28). "Virus:Win32-Sality.AH". Microsoft. Retrieved 2012-04-22.
  11. 1 2 3 4 5 6 7 Microsoft Malware Protection Center (2010-08-27). "Virus:Win32-Sality.gen!AT". Microsoft. Retrieved 2012-04-22.
  12. 1 2 3 4 5 6 Microsoft Malware Protection Center (2010-10-21). "Virus:Win32-Sality.gen!Q". Microsoft. Retrieved 2012-04-22.
  13. 1 2 3 4 5 Microsoft Malware Protection Center (2008-07-03). "Virus:Win32-Sality.R". Microsoft. Archived from the original on 2014-04-04. Retrieved 2012-04-22.
  14. 1 2 3 4 Microsoft Malware Protection Center (2008-07-07). "Virus:Win32-Sality.T". Microsoft. Archived from the original on 2014-04-04. Retrieved 2012-04-22.
  15. 1 2 3 4 5 Microsoft Malware Protection Center (2008-07-07). "Virus:Win32-Sality.AN". Microsoft. Retrieved 2012-04-22.
  16. 1 2 3 4 Microsoft Malware Protection Center (2009-03-06). "Virus:Win32-Sality.S". Microsoft. Retrieved 2012-04-22.
  17. 1 2 Microsoft Malware Protection Center (2008-07-08). "Virus:Win32-Sality". Microsoft. Archived from the original on 2012-01-01. Retrieved 2012-04-22.
  18. 1 2 3 4 Microsoft Malware Protection Center (2010-07-30). "Virus:Win32-Sality.AU". Microsoft. Archived from the original on 2013-09-27. Retrieved 2012-04-22.
  19. Microsoft Malware Protection Center (2010-07-30). "TrojanDropper:Win32-Sality.AU". Microsoft. Retrieved 2012-04-22.
  20. 1 2 3 4 5 Microsoft Malware Protection Center (2010-04-26). "Virus:Win32-Sality.AT". Microsoft. Archived from the original on 2014-01-30. Retrieved 2012-04-22.
  21. 1 2 3 Microsoft Malware Protection Center (2007-11-16). "Virus:Win32-Sality.M". Microsoft. Archived from the original on 2014-04-05. Retrieved 2012-04-22.
  22. 1 2 Microsoft Malware Protection Center (2010-08-10). "Trojan:WinNT-Sality". Microsoft. Archived from the original on 2013-12-05. Retrieved 2012-04-22.
  23. 1 2 Microsoft Malware Protection Center (2010-09-17). "WinNT-Sality". Microsoft. Retrieved 2012-04-22.
  24. Microsoft Malware Protection Center (2010-04-14). "Virus:Win32-Sality.G". Microsoft. Archived from the original on 2014-04-05. Retrieved 2012-04-22.
  25. Microsoft Malware Protection Center (2008-07-08). "Virus:Win32-Sality.AM". Microsoft. Archived from the original on 2013-12-09. Retrieved 2012-04-22.
  26. Microsoft Malware Protection Center (2009-06-17). "Virus:Win32-Sality.gen!P". Microsoft. Retrieved 2012-04-22.
  27. Microsoft Malware Protection Center (2009-09-02). "Virus:Win32-Sality.gen". Microsoft. Retrieved 2012-04-22.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.