I guess we need to face it. Sality is here to stay.
We have been dealing with new Sality variants for more than 8 years and the Sality.AE family for a little over 5…the variants keep coming. It has become one of the most common file infectors reported by Enterprise customers. With its ability to move through shares and disable AV, it’s one of the most destructive and tricky threats we have out there. That said, it’s not too hard to stop, provided you have two things. The first is an understanding of how it spreads and infects, the second is a willingness to mount the proper defense while you seek out the hidden pockets of this threat and eradicate it.
So, first things first. How does it spread?
This is a file infector and it can only spread through shares. Its uses two methods, I refer to as a “Push” and a “Pull” to infect. Managing these attacks will keep the threat from spreading to more computers.
This one is pretty well understood. An infected machine looks at the list of drives connected to it and systematically attempts to infect .EXE and .SCR files. If network shares are listed as mapped drives, it will spread to these as well. Then, as the malicious code is injected into the target file and saved to the hard drive, AV detects the write process and attempts to clean the file. Without AV detection, the threat infects many .EXE files, and when these are launched (either by the user or by the system), the threat becomes memory resident and continues to spread. The first .EXEs the threat will infect will be notepad.exe and/or winmine.exe. Copies of these infected .EXEs will be renamed and then moved to the root of all of shares and drive, including mapped network drives, along with an autorun.inf file, to facilitate the “Pull”.
The “Push” process can be prevented by AV with the proper definitions, and default settings. Also, preventing write access to the shares can be very helpful.
This process is less well known as is why we have such a hard time eradicating this threat. Infected machines now have infected and renamed versions of known files like notepad or winminesitting at the root of their shares and drives, with an autorun.inf pointing to them. This is the equivalent of a shotgun and a string tied to a door. i.e.: As soon as the door/drive is opened the virus/shotgun fires.
Now here is the tricky part; The virus file is sitting on a remote computer, and when it launches it is launching into the local computer's memory. Frequently, neither of these locations is protected by AV. Now we have a virus running around in memory and AV never had a chance to stop it. One of the first things this memory-only piece does is try to break your antivirus, and then it's free to write to the hard drive and infect other files un-impeded.
Note: the same thing can happen if you’re running .EXEs from a remote location.
Prevention - Mitigation
New variants of Sality come out all the time and the technology used to avoid detection is getting trickier and trickier. So, how do you keep this threat from ruining your week? There are two incredibly simple steps that need to be done to manage this outbreak. Skip them and you will waste hours chasing this around and reformatting machines that have been damage beyond recovery.
Once you have solid AV coverage, the “pull”, which is the most insidious part of this attack, can be rendered moot, by enabling network scanning and by disabling Autoplay. This will prevent the threat from launching from a remote host directly into the local memory and therefore skipping the file write process that is essential to AV programs.
Once you have implemented the above steps, the threat should no longer be spreading. Then you can use a network audit, from within the management console of your AV, to determine what machines do not have valid and updated AV, and what machines are currently infected. These machines should be cleaned using the Symantec Recovery Tool, AV reinstalled, and then reintroduced to the production network.
For more on Sality, check out these links:
Most Common Sality variant:
IPS Attack Signatures:
HTTP W32.Sality Activity
System Infected: W32.Sality Download
System Infected: HTTP W32.Sality Activity
System Infected: W32.Sality Activity 3
SMB Sality File Activity
SMB Critical File Tamper Activity