All-in-one malware: an overview of Sality

Jump to navigation Jump to search

(Publication) Google search: [1]

All-in-one malware: an overview of Sality
Botnet Sality
Malware Sality_(bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
CCProtocol P2P
Date 2010 / 07 May 2010
Editor/Conference Symantec
Link (Archive copy)
Author Nicolas Falliere


W32.Sality is a family of file infectors that’s been around for a long time. It seems the virus first appeared back in 2003, originating in Russia. At that time, Sality was a file infector that prepended its viral code to a host, and had back door and keylogging facilities.

Nowadays, Sality’s “signature” remains the same—virus and Trojan capabilities—but it includes more features to facilitate propagation, assure its survival, and performs the dirty jobs. Among these capabilities is the decentralized peer-to-peer network (P2P) that Sality-infected computers create and populate, which I’ll introduce later on.

Sality is an entry-point obscuring file infector. Infected files will have their original, initial instructions overwritten with complex code, with an end-goal of reaching the viral body code and executing it. This body code is located in the last section and is encrypted. Once decrypted and executed, a separate thread is created to carry the virus payload memory mapping and execution. This payload is Sality itself. Let’s review its features.

The payload runs five distinct components in separate threads. The first component is a process injector. All processes—except those belonging to the users “local service”, “network service”, or “system”—will be injected with a copy of Sality to make sure the malware stays running.

The second component is responsible for lowering or disabling the general security of the system. Security-related processes and services are stopped, including many antivirus and personal firewall products. The registry is modified and SafeBoot key entries are deleted. Components such as registry editing with the Windows regedit.exe tool or Task Manager creation are disabled. Firewall rules are added to let Sality access the network and the Security Center, among other things, is disabled.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR897,
   editor = {Symantec},
   author = {Nicolas Falliere},
   title = {All-in-one malware: an overview of Sality},
   date = {07},
   month = May,
   year = {2010},
   howpublished = {\url{}},