Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Community Blog

A live scenario on "How W32.Sality infects uses machine"

Created: 23 Apr 2009 • Updated: 23 Apr 2009 • 3 comments
SAM_SHAIKH's picture
0 0 Votes
Login to vote

W32.Sality

Overview
W32.Sality is a parasitic virus which infects shared drives and Windows executable files by putting its code to host files. It contains downloader functionality to further install Trojan or key logger components. Sality opens a backdoor that allow the remote attacker to get the full control over the infected computer and in turn the confidential information, representing a serious security risk.

Aliases
Microsoft - Virus: Win32/sality.am
Kaspersky - Virus.Win32.Sality.aa

Symptoms
W32.Sality has the following symptoms:

• Modifies System.ini files (Check for the modified date)
• Services listening on the network port(s).
• Unexpected network trafic to one or more of the domain(s).
• No access to File Monitor.
• Disables Safe mode boot
• Disables regedit and taskmanager
• Disables Antivirus

Characteristics
Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s):

%Windir%\System32\Drivers\{random}.sys
It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:
• WINDOWS
• SYSTEM
• SYSTEM32
Downloads further malware from the following domains:

1. yimg.com
Us.i1.yimg.com
http:.//ad.yieldmanager.com
mattfoll.eu.interia.pl
bjerm.mass.hc.ru
It can also drop an Autorun.inf file to auto-execute itself

connect/imagebrowser/view/image/794881/_original

Once the sample is run, it immediately tries to hook to one of the random processes and connects to certain sites and downloads malware.

connect/imagebrowser/view/image/794891/_original

The screen shot above shows the virus connecting to the IP 89.111.173.114 on port 80 and establishing contact with a certain “http://bjerm.mass.hc.ru” to download the file “logoh.gif”

Below is a screen shot of sality hooking on to a certain “Notepad.exe”

connect/imagebrowser/view/image/794921/_original

One may notice that Notepad.exe is in the running processes even when it has never been opened by the user.( Check the system tray )
If we kill this process, Sality hooks on to another process.

Common Registry changes done by Sality

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools

This is to disable regedit and taskmanager.

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

Common URL’s accessed by Sality

The following domains need to be blocked at the firewall.

• hxxp://89.119.67.154
• hxxp://kukutrustnet777.info
• hxxp://kukutrustnet888.info
• hxxp://kukutrustnet987.info
• hxxp://www.kjwre9fqwieluoi.info
• hxxp://bpowqbvcfds677.info
• hxxp://bmakemegood24.com
• hxxp://bperfectchoice1.com
• hxxp://bcash-ddt.net
• hxxp://bddr-cash.net
• hxxp://btrn-cash.net
• hxxp://bmoney-frn.net
• hxxp://bclr-cash.net
• hxxp://bxxxl-cash.net
• hxxp://balsfhkewo7i487fksd.info
• hxxp://buynvf96.info
• 1.yimg.com
• Us.i1.yimg.com
• http:.//ad.yieldmanager.com
• mattfoll.eu.interia.pl
• bjerm.mass.hc.ru
www.f5ds1jkkk4d.info
www.g1ikdcvns3sdsal.info
www.h7smcnrwlsdn34fgv.info
www.inform1ongung.info
www.kukutrustnet.org
www.lukki6nd2kdnc.info

Rgrds,
SAM

Comments 3 CommentsJump to latest comment

Peter_007's picture

Excellent Doccument.
Keep it up SAM

0
Login to vote
Symantec World's picture

Thanks for this document.

Sality also currupt your AntiVirus, Actually we are facing this issue.

Regards, M.R

0
Login to vote
mon_raralio's picture

We got a couple of PCs infected with W32.Sality.AE in our network.
What we tried was to map the C: drive of the infected PC to another PC and have that PC scan the drive as a "local drive". After that we edited the registry (It's in the regedit -> File -> Connect Network Registry...) and did the manual removal instructions for editing the registry from Symantec. Created an autorun.inf with read-only rights.
After that, disconnected the PC and restarted. (BTW, we already have the AV installer ready to install on the PC to prevent reinfection.)

“Your most unhappy customers are your greatest source of learning.”

+2
Login to vote