The Sality botnet
(Publication) Google search: [1]
The Sality botnet | |
---|---|
Botnet | Maazben, Storm, Pandex, Rustock |
Malware | Sality |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | P2P |
Date | 2010 / 14 May 2010 |
Editor/Conference | Symantec |
Link | http://www.symantec.com/connect/blogs/sality-botnet (Archive copy) |
Author | Nicolas Falliere |
Type |
Abstract
“ As discussed in a previous blog entry, Sality-infected computers become part of a peer-to-peer (P2P) botnet. This botnet is used by peers to exchange lists of URLs pointing to malicious software, which Sality will decrypt, download and install.
Though the peer-to-peer protocol used by Sality is custom, we can reverse-engineer the malware binary to determine the P2P packet format, as well as protocol rules and features. Traffic analysis can be used to facilitate or guide a white box approach. Eventually, writing a working P2P client and/or server can be used to validate the analysis.
I decided to create a rogue P2P client that would join the Sality botnet and crawl it, in order to estimate its size.
Let’s do a quick reminder of what the P2P protocol offers:
A peer can ask another peer for its list of URLs. A peer can send its list of URLs to another peer. A peer can ask another peer to send the coordinates (IP, port) of a third-party peer.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR896, editor = {Symantec}, author = {Nicolas Falliere}, title = {The Sality botnet}, date = {14}, month = May, year = {2010}, howpublished = {\url{http://www.symantec.com/connect/blogs/sality-botnet}}, }