Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

W32.Sality - Support Perspective and Battle Plan

Created: 30 Dec 2013 • 2 comments
Brandon Noble's picture
+4 4 Votes
Login to vote

I guess we need to face it. Sality is here to stay.

We have been dealing with new Sality variants for more than 8 years and the Sality.AE family for a little over 5…the variants keep coming. It has become one of the most common file infectors reported by Enterprise customers. With its ability to move through shares and disable AV, it’s one of the most destructive and tricky threats we have out there. That said, it’s not too hard to stop, provided you have two things. The first is an understanding of how it spreads and infects, the second is a willingness to mount the proper defense while you seek out the hidden pockets of this threat and eradicate it.

So, first things first. How does it spread?

This is a file infector and it can only spread through shares. Its uses two methods, I refer to as a “Push” and a “Pull” to infect. Managing these attacks will keep the threat from spreading to more computers.

The “Push”

This one is pretty well understood. An infected machine looks at the list of drives connected to it and systematically attempts to infect .EXE and .SCR files. If network shares are listed as mapped drives, it will spread to these as well. Then, as the malicious code is injected into the target file and saved to the hard drive, AV detects the write process and attempts to clean the file. Without AV detection, the threat infects many .EXE files, and when these are launched (either by the user or by the system), the threat becomes memory resident and continues to spread. The first .EXEs the threat will infect will be notepad.exe and/or winmine.exe. Copies of these infected .EXEs will be renamed and then moved to the root of all of shares and drive, including mapped network drives, along with an autorun.inf file, to facilitate the “Pull”.

The “Push” process can be prevented by AV with the proper definitions, and default settings. Also, preventing write access to the shares can be very helpful.

The “Pull”

This process is less well known as is why we have such a hard time eradicating this threat. Infected machines now have infected and renamed versions of known files like notepad or winminesitting at the root of their shares and drives, with an autorun.inf pointing to them. This is the equivalent of a shotgun and a string tied to a door. i.e.: As soon as the door/drive is opened the virus/shotgun fires.

Now here is the tricky part; The virus file is sitting on a remote computer, and when it launches it is launching into the local computer's memory. Frequently, neither of these locations is protected by AV. Now we have a virus running around in memory and AV never had a chance to stop it. One of the first things this memory-only piece does is try to break your antivirus, and then it's free to write to the hard drive and infect other files un-impeded.

Note: the same thing can happen if you’re running  .EXEs from a remote location.

Prevention - Mitigation

New variants of Sality come out all the time and the technology used to avoid detection is getting trickier and trickier. So, how do you keep this threat from ruining your week? There are two incredibly simple steps that need to be done to manage this outbreak. Skip them and you will waste hours chasing this around and reformatting machines that have been damage beyond recovery.

Once you have solid AV coverage, the “pull”, which is the most insidious part of this attack, can be rendered moot, by enabling network scanning and by disabling Autoplay. This will prevent the threat from launching from a remote host directly into the local memory and therefore skipping the file write process that is essential to AV programs.

Once you have implemented the above steps, the threat should no longer be spreading. Then you can use a network audit, from within the management console of your AV, to determine what machines do not have valid and updated AV, and what machines are currently infected. These machines should be cleaned using the Symantec Recovery Tool, AV reinstalled, and then reintroduced to the production network.

For more on Sality, check out these links:

Best practices for responding to active threats on a network

All-in-One Malware: An Overview of Sality

Things I Can Live Without

Threat Write-Up:

Most Common Sality variant:
W32.Sality.AE
 

Legacy variants:
W32.Sality.AB
W32.Sality.AM
W32.Sality.R
W32.Sality.S

W32.Sality.U
W32.Sality.X
W32.Sality.Y
and W32.Sality.Y!inf
W32.Sality.V
and W32.Sality.V!inf

IPS Attack Signatures:
HTTP W32.Sality Activity
System Infected: W32.Sality Download
System Infected: HTTP W32.Sality Activity
System Infected: W32.Sality Activity 3
SMB Sality File Activity
SMB Critical File Tamper Activity
 

Comments 2 CommentsJump to latest comment

Mick2009's picture

"Thumbs up" for this article.  Just to add a few points and helpful references...

Enabling Network Scanning can affect performance, but it is definitely worth the cost.

Symantec Endpoint Protection Recommended Best Practices for Securing an Enterprise Environment
http://www.symantec.com/docs/TECH166816

....

Why enable Network Scanning?
 
By default, Auto-Protect scans files as they are written from your computer to a remote computer. Auto-Protect also scans files when they are written from a remote computer to your computer. When you execute files on a remote computer however, the file loads into memory on the local computer. Since real‐time scanning technologies like Auto-Protect cannot scan memory, this potentially allows malicious code to be launched on a machine before antivirus software can examine the code. By enabling Network Scanning, files on remote machines can be scanned when read, helping to block a large and growing attack vector for some of the most dangerous threats. 

IPS protection can be very effective at blocking the network traffic that W32.Sality needs to spread.  It can also provide admins with an indication of which computers on their network are infected (and constantly attempting to infect others!).  Using AV alone is fighting W32.Sality with one arm tied behind the back.

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network
 

Many thanks, and best regards!

Mick
 

With thanks and best regards,

Mick

+1
Login to vote
Mick2009's picture

Just adding one more helpful reference for those who need to know more about this threat:

Sality: Story of a Peer-to-Peer Viral Network
http://www.symantec.com/connect/sites/default/files/sality_peer_to_peer_viral_network.pdf

With thanks and best regards,

Mick

0
Login to vote