Sality
Sality is the classification for a family of malicious software, which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.
Aliases
The majority of Antivirus vendors use the following naming conventions when referring to this family of malware:- Sality
- SalLoad
- Kookoo
- SaliCode
- Kukacka
Malware Profile
Summary
Sality is a family of polymorphic file infectors, which target Windows executable files with the extensions.EXE or.SCR. Sality utilizes polymorphic and entry-point obscuring techniques to infect files using the following methods: not changing the entry point address of the host, and replacing the original host code at the entry point of the executable with a variable stub to redirect execution to the polymorphic viral code, which has been inserted in the last section of the host file; the stub decrypts and executes a secondary region, known as the loader; finally, the loader runs in a separate thread within the infected process to eventually load the Sality payload.Sality may execute a malicious payload that deletes files with certain extensions and/or beginning with specific strings, terminates security-related processes and services, searches a user’s address book for e-mail addresses to send spam messages, and contacts a remote host. Sality may also download additional executable files to install other malware, and for the purpose of propagating pay per install applications. Sality may contain Trojan components; some variants may have the ability to steal sensitive personal or financial data, generate and relay spam, relay traffic via HTTP proxies, infect web sites, achieve distributed computing tasks such as password cracking, as well as other capabilities.
Sality’s downloader mechanism downloads and executes additional malware as listed in the URLs received using the peer-to-peer component. The distributed malware may share the same “code signature” as the Sality payload, which may provide attribution to one group and/or that they share a large portion of the code. The additional malware typically communicates with and reports to central command and control servers located throughout the world. According to Symantec, the "combination of file infection mechanism and the fully decentralized peer-to-peer network make Sality one of the most effective and resilient malware in today's threat landscape."
Two versions of the botnet are currently active, versions 3 and 4. The malware circulated on those botnets are digitally signed by the attackers to prevent hostile takeover. In recent years, Sality has also included the use of rootkit techniques to maintain persistence on compromised systems and evade host-based detections, such as anti-virus software.
Installation
Sality infects files in the affected computer. Most variants use a DLL that is dropped once in each computer. The DLL file is written to disk in two forms, for example:- %SYSTEM%\wmdrtc32.dll
- %SYSTEM%\wmdrtc32.dl_
Method of Propagation
File infection
Sality usually targets all files in drive C: that have.SCR or.EXE file extensions, beginning with the root folder. Infected files increase in size by a varying amount.The virus also targets applications that run at each Windows start and frequently used applications, referenced by the following registry keys:
- HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- Files protected by System File Checker
- Files under the %SystemRoot% folder
- Executables of several antivirus/firewall products by ignoring files that contain certain substrings
Removable drives and network shares
- \
.pif - \
.exe - \
.cmd
Payload
- Sality may inject code into running processes by installing a message hook
- Sality commonly searches for and attempts to delete files related to antivirus updates and terminate security applications, such as antivirus and personal firewall programs; attempts to terminate security applications containing the same strings as the files it avoids infecting; and may also terminate security-related services and block access to security-related websites that contain certain substrings
- Sality variants may modify the computer registry to lower Windows security, disable the use of the Windows Registry Editor and/or prevent the viewing of files with hidden attributes; Some Sality variants recursively delete all registry values and data under the registry subkeys for HKCU\System\CurrentControlSet\Control\SafeBoot and HKLM\System\CurrentControlSet\Control\SafeBoot to prevent the user from starting Windows in safe mode
- Some Sality variants can steal sensitive information such as cached passwords and logged keystrokes, which were entered on the affected computer
- Sality variants usually attempt to download and execute other files including pay per install executables using a preconfigured list of up to 1000 peers; the goal of the P2P network is to exchange lists of URLs to feed to the downloader functionality; the files are downloaded into the Windows Temporary Files folder and decrypted using one of several hardcoded passwords
- Most of Sality’s payload is executed in the context of other processes, which makes cleaning difficult and allows the malware to bypass some firewalls; to avoid multiple injections in the same process, a system-wide mutex called "
.exeM_ _" is created for every process in which code is injected, which would prevent more than one instance from running in memory at the same time. - Some variants of Win32-Sality drop a driver with a random file name in the folder %SYSTEM%\drivers to perform similar functions such as terminate security-related processes and block access to security-related websites, and may also disable any system service descriptor table hooks to prevent certain security software from working properly
- Some Sality variants spread by moving to available removable/remote drives and network shares
- Some Sality variants drop.LNK files, which automatically run the dropped virus
- Some Sality variants may search a user's Outlook address book and Internet Explorer cached files for e-mail addresses to send spam messages, which then sends out spammed messages based on information it retrieves from a remote server
- Sality may add a section to the configuration file %SystemRoot%\system.ini as an infection marker, contact remote hosts to confirm Internet connectivity, report a new infection to its author, receive configuration or other data, download and execute arbitrary files, receive instruction from a remote attacker, and/or upload data taken from the affected computer; some Sality Variants may open a remote connection, allowing a remote attacker to download and execute arbitrary files on the infected computer
- Computers infected with recent versions of Sality, such as Virus:Win32-Sality.AT, and Virus:Win32-Sality.AU, connect to other infected computers by joining a peer-to-peer network to receive URLs pointing to additional malware components; the P2P protocol runs over UDP, all the messages exchanged on the P2P network are encrypted, and the local UDP port number used to connect to the network is generated as a function of the computer name
- Sality may add a rootkit that includes a driver with capabilities such as terminating processes via NtTerminateProcess as well as blocking access to select anti-virus resources by way of IP Filtering; the latter requires the driver to register a callback function, which will be used to determine if packets should be dropped or forwarded
Recovery
Sality uses stealth measures to maintain persistence on a system; thus, users may need to boot to a trusted environment in order to remove it. Sality may also make configuration changes such as to the Windows Registry, which makes it difficult to download, install and/or update virus protection. Also, since many variants of Sality attempt to propagate to available removable/remote drives and network shares, it is important to ensure the recovery process thoroughly detects and removes the malware from any and all known/possible locations.