Sality, the virus that turned into the ultimate malware

May 29, 2010 · Filed Under News, Security 

News - A succession of fresh, quality news, from inside and outside of the WebComputer threats are continuously evolving, and there is who would even pretend that they did the leap from the machine to man by infecting RFID microchips installed under the skin. But even though they remain a “simple” IT issue, some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design capable of constantly putting security companies under pressure. A remarkable “intelligent” threat is for instance Sality, the new generation file virus that according to Symantec has practically turned into an “all-in-one” malware incorporating botnet-alike functionalities as well.

At first appeared during 2003 in Russia, Sality has eventually changed from a traditional file virus - an “historical” type of malware which uses an executable vector like a program file to spread - to a complex menace provided with features including virus, trojan, backdoor, keylogger, rootkit, downloader types. Recently Sality gained one of the features it was still lacking, when variants of the virus appeared showing botnet functionalities and the ability to communicate on a peer-to-peer decentralized network.

Symantec investigated those new variants identifying their pyramid structure, where the botnet component serves to provide an encrypted and always up-to-date URLs list from which the downloader can get new malicious code - that is Sality’s final goal, the USA company says. Sality’s botnet protocol, Symantec senior software engineer Nicolas Falliere writes, contacts an initial peers list with 1000 entries at most embedded within the virus body, searching for an active client able to correctly communicate with the bot.

Virus

Once it has set up a communication channel, Sality checks for the availability of updated “packages” of URLs to give to the downloader component, otherwise it provides its own URLs list if the local package is newer than the one of the contacted peer and instructs the peer to send the IP address and the port of another client available on the botnet. This way Sality is able to constantly update (and transfer in every single infected executable file) both the remote addresses list from which to download payloads and the active bots list.

The P2P mechanism employed by Sality uses the UDP protocol and listens directly on network interfaces, two features that greatly decrease its effectiveness in the not so uncommon case where the infected system is behind a firewall or a router. Even considering this important fault, Symantec says, “Sality is a complex and complete threat” equipped with almost every malicious code feature, incorporating an “advanced file infector, efficient security products disabler, and flexible and decentralized P2P capabilities to propagate URLs and avoid static DNS or IP lockdown by authorities“.

From an analysis performed with a “rogue P2P client” coded to become part of the malicious network, Symantec has determined that the Sality botnet covers something like 100.000 computers. It’s a bots figure below the one achieved by giants like Conficker but similar in size to other botnets as Storm, Pandex and Rustock. What remains clear is the demonstration of Sality’s unique threat, a malware floating around since seven years that shows no intention to quickly disappear from the net.



Share this post!
  • Slashdot
  • Reddit
  • Digg
  • Facebook
  • StumbleUpon
  • del.icio.us
  • Technorati

Related posts

Tags: , , ,

Comments

4 Responses to “Sality, the virus that turned into the ultimate malware”

  1. Joe on May 29th, 2010 7:24 am

    There is allot of development that could be done to decentralize and prevent the shutting down or tracking down of the networks or network operators. It amazes me P2P is so underdeveloped to this day. Theoretically one could use UDP to contact random other IP addresses requesting them to respond if they are also apart of the network. You only need 1% of the IP addresses to be running the P2P software and then the first time the software was installed the client software would scan a 100 or so IP addresses at random.It would find another then get a list of peers that it knows about and so on. No need for a central server. As long as you have enough people running running P2P software on non-firewalled clients they can act as super peers. Until you have enough of an install base you just have to include a list of IP addresses to try. It only needs to get the list once and as long as the person connected once in a while to other peers they shouldn’t have to scan this slow way. A virus could do the same thing. The hard part might be preventing ISPs from interfering- at which point you need to disguise it-but I think that wouldn’t be hard either really. You just must use other standard P2P protocols that do the same thing. If they block your virus they block P2P and that would piss of legitimate customers. Even if ISPs blocked the scanning mechanism you could probably just degrade it allot. It might take 48 hours to scan 100 peers- but you eventually will get what you want.


    Browser Firefox 3.6.3 Firefox 3.6.3 on the O.S. Ubuntu Ubuntu
    Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3
  2. Sir Arthur, King of Ghouls'n Ghosts on May 29th, 2010 8:25 pm

    And your point is…?


    Browser Firefox 3.5.4 Firefox 3.5.4 on the O.S. Windows Vista Windows Vista
    Mozilla/5.0 (Windows; U; Windows NT 6.0; it; rv:1.9.1.4) Gecko/20091016 Firefox/3.5.4
  3. Aws on August 29th, 2010 6:37 pm

    Hell, i just scanned my PC with Kaspersky2010 and found 38 Sality shits!

    DAMN SALITY MAKER


    Browser Internet Explorer 8.0 Internet Explorer 8.0 on the O.S. Windows XP Windows XP
    Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2)
  4. RotomPlasma on February 20th, 2011 5:25 pm

    Dang… My own computer is fine, but the backup drive that I share with my family has 30 sality viruses… ._.


    Browser Google Chrome 9.0.597.98 Google Chrome 9.0.597.98 on the O.S. Windows XP Windows XP
    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13

Leave a Reply