Sality virus, the species evolution
The numbers clearly demonstrate it, nowadays the main threats to computer security are those coming from worms, trojans, backdoors, malicious code categories that have nothing to do with the historical “viruses”. But those digital parasites which travelled from file to file (and from floppy to floppy), hunting for new habitats and new victims to infect still survive today when malware is a business and the worm-based botnets have a scary amount of zombie-PC to use against institutions, firms or the network infrastructures of entire nations.
To put it clearly a file virus is a completely different beast from a trojan or a worm, because contrariwise to the aforementioned self-contained malicious programs a virus needs a host to multiply and activate itself, an executable code to which bind itself by modifying the file structure and the normal flux of instructions to process to take the upper hand once the infected file is executed.
Though the modern malware generations have essentially abandoned this kind of approach in favor of different (and paradoxically even more archaic than the first historical viruses) patterns, the classic parasitic infection still survives through a few malicious code families. Sality is one of those families, and far from being a residue from the past created by incompetent people it represents a perfect example of how much malware writing is advanced today, stuck to tradition but even more dangerous (as for the potential damages) than an epidemic worm like Conficker.
Sality is a polymorphic file virus that modifies its own code at any new infection trying to avoid antivirus recognition, an old trick to which it adds up the ability to spread through the network, disable the warnings from Windows Security Center and bypass the system firewall defense. As Dirk Knop, technical editor of the German security firm Avira writes, Sality is “a real threat” whose diffusion is helped by the periodic appearance of new variants, that to basic polymorphism sum different payloads like the installation of keyloggers, backdoors, rootkits or the download of additional elements from the net.
Furthermore the Sality authors tend to make more and more complex the malware mutation skills, which thing has urged Avira to “develop removal routines for a lot of variants” identified by AntiVir by generic definition W32/Sality.Y. Recovering of the full functionality of a parasitized file isn’t anyway a trivial thing, and Knop warns that “today it’s not possible to properly restore all the original binaries as for example digital signatures might get broken by the malware infection“.
The difficulties that an antivirus faces when it has to deal with a system infected by a parasite like Sality have been previously covered by Markus Hinderhofer, from the Avira Engine Core R&D team, who has highlighted how polymorphic viruses tend to irreparably damage many “host” files often forcing to the reinstallation of the operating system.
According to Knop’s recommendations, anyway, the attempt to clean the system from Sality infection “should be done using our Rescue CD which also includes the updated engine. This is due to the fact that it’s not possible to kill all processes at runtime to get hold of the binary files and disinfect them“. It’s always a good habit, Knop says, to try to clean the system from the Linux-based Rescue CD external environment, being in this case the malware inactive during the machine start-up and the antivirus initialization.