As discussed in a previous blog entry, Sality-infected computers become part of a peer-to-peer (P2P) botnet. This botnet is used by peers to exchange lists of URLs pointing to malicious software, which Sality will decrypt, download and install.
Though the peer-to-peer protocol used by Sality is custom, we can reverse-engineer the malware binary to determine the P2P packet format, as well as protocol rules and features. Traffic analysis can be used to facilitate or guide a white box approach. Eventually, writing a working P2P client and/or server can be used to validate the analysis.
I decided to create a rogue P2P client that would join the Sality botnet and crawl it, in order to estimate its size.
Let’s do a quick reminder of what the P2P protocol offers:
- A peer can ask another peer for its list of URLs.
- A peer can send its list of URLs to another peer.
- A peer can ask another peer to send the coordinates (IP, port) of a third-party peer.
This last feature is used by bots to keep their list of peers as up-to-date as possible. One very important thing is that the exchanged peers are only publicly-reachable ones, meaning those running on a computer with a public IP address (most configurations of this type would be computers directly plugged to DSL/cable modems). Therefore, users behind home routers or inside corporate environments, having publicly inaccessible IPs, will never see their coordinates exchanged on the Sality botnet. The protocol simply prevents it.
We let a rogue P2P client run for about two days, asking for peers, much faster and in bigger quantities than what the client’s implementation in Sality does. We’ve collected about 12,000 IPs and came up with the following geo-localized percentages:
- Romania 22%
- Brazil 12%
- India 8%
- Korea 7%
- Poland 5%
- Morocco 4%
- Turkey 4%
- Russia 2%
- Thailand 2%
- Other 25%
What’s worth noting is that the peers above are clients and servers in the Sality botnet. They run on public IPs and are directly accessible by the other peers. Though I don’t have official statistics, it seems such configurations become rarer and rarer every day. Most end-users, either at home or at work, are hidden behind one or more layers of network hardware that prevent them from being directly exposed to the Internet.
It seems reasonable to estimate the minimal botnet size at 10 times the number of server peers that it has. This would give us a size in the order of 100,000 computers, placing it close to the Storm, Pandex or Rustock botnets (source). Yet it seems clear that Sality is nowhere near what Conficker/Downadup achieved back in the day—millions of bots—but their propagation schemes, as well as end-goals, are very different.
Again, we remind you that W32.Sality is a fairly unique threat, which combines virus (file infection) and Trojan/downloader characteristics. Make sure your definitions are up-to-date, as our anti-virus products detect and clean infected files.