Thursday, July 12, 2012

Sality, an Ultimate Virus Strain

We were infected by this virus lately that has first manifested in our Payroll Department.  Sometimes, because the payroll staff are rushing, they fail to give us a flash drive coming from the banks for cross-checking and cleaning; before plugging it on theirs.

However, after the fortnight has been made where I started working on the infected units, I got a very big surprise because the attitude of this virus is no longer the one I am expecting and have experienced before. It seems to have grown sophisticated because I have done these things:

a.  Cleaning an infected unit by itself which in some cases of other malwares I am able to do, no dice

b.  Removing the harddrive and plugging those into another unit for safer and faster cleaning, immediately virus came back

c.  Completely repartitioning, reformatting and installing fresh everything....

And yet despite with an anti-virus installed on that freshly newly repartitioned, reformatted and reinstalled unit..... just within hours I realize that said unit is again infected via LAN, and said malware was even able to circumnavigate and disarm the antivirus that was installed which I have used in the first place to clean it as well.



Since it is Saturday, I decided to bring home with me that virus (yes I am bold and foolish enough to do such things).  I disabled the antivirus on my laptop so I can copy the folder where infected exes are, then immediately performed a force shutdown of my laptop unit (pressed power button long enough) so any processes can be instantaneously killed; and went home.

When I reached home, I have booted the unit, checked on my antivirus icon and it is showing the fully protected logo, so far so good, and has performed a full scan.  It was able to repair those infected files in that folder and has found no further infection.

Early next day I did a full scan again and I got the surprise for that day because the very same infected files were detected as infected again by the same strain; where the antivirus has cleaned it again.  I ignored it, decided to continue my developing work while waiting for my antivirus to popup a new detection.  If none, I plan to do a full scan again later.  Then I realize my laptop started to slow down and when I looked at the antivirus icon, saw that it is now disarmed.  It was able to infect even the running anti-virus processes!  Darn, I need to do a further reasearch on this one.

Similar Attitude:

I have seen this attitude before where a virus can ride among the processes of an anti-virus to infect further. The anti-virus' action is actually just a delayed reaction where the antivirus scans a file, found it clean, afterwards the virus riding at its back immediately infects it again; and because the antivirus is now scanning the next file, said infection is gone unnoticed.  On next scan it can find the file infected and repairs it again, but afterwards it will still be immediately infected again.  Antivirus in this case is a step behind so to speak.  Same style is manifested by Brontok or also known as RontokBro.

Research Results:

Sality originally simply attaches itself to an exe so it can spread itself and is first detected in 2003 in Russia.  The original sality malwares can be easily repaired by anti-viruses.  New generations of this virus however has morphed itself (or should I say the developer has made it more complex) that it now has added features aside from virus like trojan, backdoor, keylogger, rootkit, and downloader types. Lately new variants even showed botnet functionalities and the ability to communicate on a p2p decentralized network.

Symantec investigated those new variants identifying their pyramid structure, where the botnet component serves to provide an encrypted and always up-to-date URLs list from which the downloader can get new malicious code - that is Sality’s final goal, the USA company says. Sality’s botnet protocol, Symantec senior software engineer Nicolas Falliere writes, contacts an initial peers list with 1000 entries at most embedded within the virus body, searching for an active client able to correctly communicate with the bot.

And would you believe, that as long as it can communicate to the web, it will be able to update itself?

According to researchers working with the Bkav Security Company, over 4.2 million PCs across Vietnam contracted infection from the W32.Sality.PE virus during 2011, with a mean 11,000 PCs getting additionally contaminated every day. Also, fresh malware strains that surfaced counted an estimated 38,961, reports SOHA THONG TIN on January 12, 2012.

Some Interesting Related Articles:

Sality Botnet Takedown Plans
Please do not take down Sality botnet
Do-it-yourself plan to take down Sality botnet

Tool of the trade:

Luckily, I was able to find a very good tool here in the net created by Kaspersky which is simply termed as SalityKiller.exe.

The SalityKiller.exe utility runs in DOS mode and allows detecting and disinfecting only the following Sality modifications: Virus.Win32.Sality.aa, Virus.Win32.Sality.ae, Virus.Win32.Sality.ag, Virus.Win32.Sality.bh.

I got lucky because mine is Virus.Win32.Sality.aa.  I installed it on every unit and has performed cleaning and now we are free of that strain.  Should have I not acted sooner, I believe with this virus' capability to upgrade itself, I will be stuck with another version which SalityKiller is not able to fix yet.

If you are having that Sality problem on your end, act now and please check this site and get that tool here:  http://support.kaspersky.com/faq/?qid=208279889

Goodluck!



No comments:

Post a Comment