All-in-one malware: an overview of Sality
(Publication) Google search: [1]
All-in-one malware: an overview of Sality | |
---|---|
Botnet | Sality |
Malware | Sality_(bot) |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | P2P |
Date | 2010 / 07 May 2010 |
Editor/Conference | Symantec |
Link | http://www.symantec.com/connect/blogs/all-one-malware-overview-sality (Archive copy) |
Author | Nicolas Falliere |
Type |
Abstract
“ W32.Sality is a family of file infectors that’s been around for a long time. It seems the virus first appeared back in 2003, originating in Russia. At that time, Sality was a file infector that prepended its viral code to a host, and had back door and keylogging facilities.
Nowadays, Sality’s “signature” remains the same—virus and Trojan capabilities—but it includes more features to facilitate propagation, assure its survival, and performs the dirty jobs. Among these capabilities is the decentralized peer-to-peer network (P2P) that Sality-infected computers create and populate, which I’ll introduce later on.
Sality is an entry-point obscuring file infector. Infected files will have their original, initial instructions overwritten with complex code, with an end-goal of reaching the viral body code and executing it. This body code is located in the last section and is encrypted. Once decrypted and executed, a separate thread is created to carry the virus payload memory mapping and execution. This payload is Sality itself. Let’s review its features.
The payload runs five distinct components in separate threads. The first component is a process injector. All processes—except those belonging to the users “local service”, “network service”, or “system”—will be injected with a copy of Sality to make sure the malware stays running.
The second component is responsible for lowering or disabling the general security of the system. Security-related processes and services are stopped, including many antivirus and personal firewall products. The registry is modified and SafeBoot key entries are deleted. Components such as registry editing with the Windows regedit.exe tool or Task Manager creation are disabled. Firewall rules are added to let Sality access the network and the Security Center, among other things, is disabled.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR897, editor = {Symantec}, author = {Nicolas Falliere}, title = {All-in-one malware: an overview of Sality}, date = {07}, month = May, year = {2010}, howpublished = {\url{http://www.symantec.com/connect/blogs/all-one-malware-overview-sality}}, }