Sality


Sality is the classification for a family of malicious software, which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Aliases

The majority of Antivirus vendors use the following naming conventions when referring to this family of malware:

Summary

Sality is a family of polymorphic file infectors, which target Windows executable files with the extensions.EXE or.SCR. Sality utilizes polymorphic and entry-point obscuring techniques to infect files using the following methods: not changing the entry point address of the host, and replacing the original host code at the entry point of the executable with a variable stub to redirect execution to the polymorphic viral code, which has been inserted in the last section of the host file; the stub decrypts and executes a secondary region, known as the loader; finally, the loader runs in a separate thread within the infected process to eventually load the Sality payload.
Sality may execute a malicious payload that deletes files with certain extensions and/or beginning with specific strings, terminates security-related processes and services, searches a user’s address book for e-mail addresses to send spam messages, and contacts a remote host. Sality may also download additional executable files to install other malware, and for the purpose of propagating pay per install applications. Sality may contain Trojan components; some variants may have the ability to steal sensitive personal or financial data, generate and relay spam, relay traffic via HTTP proxies, infect web sites, achieve distributed computing tasks such as password cracking, as well as other capabilities.
Sality’s downloader mechanism downloads and executes additional malware as listed in the URLs received using the peer-to-peer component. The distributed malware may share the same “code signature” as the Sality payload, which may provide attribution to one group and/or that they share a large portion of the code. The additional malware typically communicates with and reports to central command and control servers located throughout the world. According to Symantec, the "combination of file infection mechanism and the fully decentralized peer-to-peer network make Sality one of the most effective and resilient malware in today's threat landscape."
Two versions of the botnet are currently active, versions 3 and 4. The malware circulated on those botnets are digitally signed by the attackers to prevent hostile takeover. In recent years, Sality has also included the use of rootkit techniques to maintain persistence on compromised systems and evade host-based detections, such as anti-virus software.

Installation

Sality infects files in the affected computer. Most variants use a DLL that is dropped once in each computer. The DLL file is written to disk in two forms, for example:
The DLL file contains the bulk of the virus code. The file with the extension ".dl_" is the compressed copy. Recent variants of Sality, such as Virus:Win32-Sality.AM, do not drop the DLL, but instead load it entirely in memory without writing it to disk. This variant, along with others, also drops a driver with a random file name in the folder %SYSTEM%\drivers. Other malware may also drop Sality in the computer. For example, a Sality variant detected as Virus:Win32-Sality.AU is dropped by Worm:Win32-Sality.AU. Some variants of Sality, may also include a rootkit by creating a device with the name Device\amsint32 or \DosDevices\amsint32.

Method of Propagation

File infection

Sality usually targets all files in drive C: that have.SCR or.EXE file extensions, beginning with the root folder. Infected files increase in size by a varying amount.
The virus also targets applications that run at each Windows start and frequently used applications, referenced by the following registry keys:
Sality avoids infecting particular files, in order to remain hidden in the computer:
Some variants of Sality can infect legitimate files, which are then moved to available removable drives and network shares by enumerating all network share folders and resources of the local computer and all files in drive C:. It infects the files it finds by adding a new code section to the host and inserting its malicious code into the newly added section. If a legitimate file exists, the malware will copy the file to the Temporary Files folder and then infect the file. The resulting infected file is then moved to the root of all available removable drives and network shares as any of the following:
The Sality variant also creates an "autorun.inf" file in the root of all these drives that points to the virus copy. When a drive is accessed from a computer supporting the AutoRun feature, the virus is then launched automatically. Some Sality variants may also drop a file with a.tmp file extension to the discovered network shares and resources as well as drop a.LNK file to run the dropped virus.

Payload

Microsoft has identified dozens of files which are all commonly associated with the malware.
Sality uses stealth measures to maintain persistence on a system; thus, users may need to boot to a trusted environment in order to remove it. Sality may also make configuration changes such as to the Windows Registry, which makes it difficult to download, install and/or update virus protection. Also, since many variants of Sality attempt to propagate to available removable/remote drives and network shares, it is important to ensure the recovery process thoroughly detects and removes the malware from any and all known/possible locations.