Sality

Original Issue Date:- December 06, 2012
Virus Type:- Trojan/Backdoor
Severity:-High

It has been observed that new variants of malware "Sality", are propagating widely. This malware is infecting Microsoft Windows operating system and may communicate over peer-to-peer (P2P) network for the following purpose:

  • Spam relay
  • Proxy
  • Exfiltrating sensitive information/data
  • Install trojan backdoor
  • Install key logger
  • Compromising web servers
  • Coordinating distributed computing tasks (e.g. password cracking)

Sality is a polymorphic file infecting malware, targeting windows executables files with extensions .EXE and .SCR on local system, removable drives and remote shared drives/folders. It has a downloader mechanism which downloads and execute additional malware via URL list received by a peer-to peer (P2P) botnet. It also attempts to disable security software.

Aliases: W32/Sality, W32.HLLP.Sality, Win32.Sality, WinNT/Sality, Virus:Win32/Sality, Worm:Win32/Sality, TrojanDropper:Win32/Sality, Trojan:WinNT/Sality, Mal/Sality-PE_SALITY, Gen:Win32.Sality, Troj/SalLoad, W32/Kookoo-(Sophos), Virus:Win32/Sality.AT (Microsoft), W32/Sality.B.gen!Eldorado (Command), W32/Sality.AT (Avira), Win32/Sality.AA (CA), Win32.Sector.21 (Dr.Web), Win32/Sality.NBA (ESET), Trojan.Win32.Vilsel.vyy (Kaspersky), W32/Sality.gen.e (McAfee), W32/Sality.BD (Norman), W32/Spamta.QO.worm (Panda), Win32.KUKU.kj (Rising AV), Troj/SalLoad-A (Sophos), PE_SALITY.BA (Trend Micro)

Symptoms of possible infection:

The following system changes may indicate the presence of this malware:

  • Sudden termination of certain security-related applications, processes or services
  • Inability to run Windows Registry Editor
  • User lockouts
  • Traffic on port 445 on non-Directory Service servers
  • No access to admin shares
  • Autorun.inf files in recycled directory
  • The presence of the following driver:
    •  %SystemRoot%\system32\drivers\amsint32.sys
  • Failure for certain security-related applications to run due to deletion of installed components such as files with the following extensions:
    • .AVC
    • .VDB

Installation

Some variants of Sality uses DLL droped, for e.g.

  • %SYSTEM%\wmdrtc32.dll
  • %SYSTEM%\wmdrtc32.dl_

The DLL file contains the bulk of the virus code. The file with the extension ".dl_" is the compressed copy. Some variants of Sality drops a device driver as the following:
%SystemRoot%\system32\drivers\amsint32.sys - Trojan:WinNT/Sality

It creates and starts a system service to run the dropped driver component. Later it communicates with the driver component to restore System Service Dispatch Table (SSDT).

For details regarding Propagation Methods and Payload refer to the following document
CERT-In Virus Alert - Virus: Win32/Sality

Downloads arbitrary files

Some of the Sality variants attempts to download files from remote servers, then decrypts and executes the downloaded files from the following servers:
(This should not be treated as comprehensive list) [Replace "[d0t]" with "."]

  • www[d0t]klkjwre9fqwieluoi[d0t]info
  • kukutrustnet777888[d0t]info
  • klkjwre77638dfqwieuoi888[d0t]info
  • kukutrustnet777[d0t]info
  • kukutrustnet888[d0t]info
  • kukutrustnet987[d0t]info
  • 1[d0t] yimg[d0t]com
  • Us[d0t]i1[d0t]yimg[d0t]com
  • http:[d0t]//ad[d0t]yieldmanager[d0t]com
  • mattfoll[d0t]eu[d0t]interia[d0t]pl
  • bjerm[d0t]mass[d0t]hc[d0t]ru

Countermeasures

  • Disable the Autorun functionality in Windows
  • http://support.microsoft.com/kb/967715
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures at desktop and gateway level.
  • Do not follow unsolicited web links or attachments in email messages.
  • Exercise caution while visiting links to Web pages.
  • Do not visit untrusted websites.
  • Use strong passwords and also enable password policies.
  • Enable firewall at desktop and gateway level.
  • Protect yourself against social engineering attacks.
  • Monitor systems making connections to the abovementioned domains
  • Monitor traffic for abovementioned domain names
  • Monitor or Block traffic on port 445 on non-Directory Service servers

Removal tools: