Vidéos d'aide de Screencast
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Sality Goes LNK

Created: 09 Août 2010 13:46:28 GMT • Updated: 23 Janv. 2014 18:25:49 GMT • Traductions disponibles : 日本語
l'image des Nicolas Falliere
+1 1 Vote
Login to vote

A few months ago, I described the features of W32.Sality in these two blog entries. This well-known virus propagates by infecting Windows executable files. Infected computers also make up a fully decentralized peer-to-peer network, which is used to propagate digitally signed packages of URLs that the bots will download and run malicious files from. The discovery of the LNK vulnerability (BID 41732), initially used by Stuxnet, gave malware authors a cheap, easy, and effective way to propagate their creations.

The Sality gang didn’t waste much time and jumped on the bandwagon in the early days of August. However, it seems that it was only this past weekend that they decided to leverage their botnet to potentially infect even more computers. The latest package downloaded by Sality (sequence ID 122) refers to a few URLs, including Sality-standard hack tools (mail relay, HTTP proxy), but also to a dropper for Sality itself.

The malicious URLs found in package 122 are:

  • [http://]www.chintours.com/images/log[REMOVED]
  • [http://]sioclan.si.funpic.de/images/log[REMOVED]
  • [http://]chombueng.com/images/log[REMOVED]
  • [http://]chantinmobile.com/images/log [REMOVED]
  • [http://]pring.w.interia.pl/gif/log[REMOVED]
  • [http://]mstroit.com/images/log[REMOVED]
  • [http://]www.birlik-ticaret.com.tr/images/log[REMOVED]
  • [http://]oneasiaproperty.com/images/log[REMOVED]
  • [http://]www.bikeguy.temp.ntwebb.com/images/mohnatay[REMOVED]

This dropper enumerates available network shares. It will try to create a .dll file, semi-randomly named “z[HEXIDECIMAL NUMBER].tmp”, on each of them. It also recursively lists subdirectories of a share and tries to create, in each of them, a link file exploiting BID 41732. The LNK file is customized to load the .dll file, which contains an encrypted copy of Sality. The names of the .lnk files can be based on existing files found on the shares, with an appended .lnk extension, or can be randomly chosen from a hardcoded list of benign or suggestive names:

  • Copy of New Folder.lnk                  
  • Copy of New File.lnk                    
  • Copy of Shortcut.lnk                    
  • New Shortcut.lnk                        
  • New Folder.lnk                          
  • Shortcut.lnk                            
  • Drivers.lnk                             
  • Anna Benson Sex video.lnk               
  • Kick_Ass.avi.lnk                        
  • Jenna Elfman sex a*** de********.avi.lnk
  • Miss America Porno.lnk                  
  • Porno Screensaver.lnk                   
  • Serials.lnk                             
  • Barrett Jackson nude photos.lnk         
  • Britney Spears XXX.lnk                  
  • Paris Hilton XXX Archive.lnk            
  • XXX hardcore.avi.lnk                    
  • XXX archive.lnk                         
  • groom.avi.lnk                           
  • Fotograf.lnk                            
  • Photoalbum.lnk                          
  • My photoalbum.lnk                       
  • Myphotos.lnk                            
  • My photos.lnk                           
  • My beautiful person.lnk                 
  • beautiful.lnk                           
  • Gallery photos.lnk                      
  • caroline.avi.lnk                        
  • Katrina.avi.lnk                         
  • kleopatra.avi.lnk                       
  • P****.avi.lnk                           
  • Mary-Anne.lnk                           
  • Lisa.jpg.lnk                            
  • Bad girl.jpg.lnk                        
  • Julie.lnk                               
  • Aline.lnk                               
  • Anna.jpg.lnk                            
  • Barbi.jpg.lnk                           
  • Katrina.lnk                             
  • Juli.jpg.lnk                            
  • Mary.lnk                                
  • Mandy.lnk                               
  • Sara.lnk                                
  • rebecca.jpg.lnk                         
  • Jammie.lnk                              
  • kate.lnk                                
  • Audra.lnk                               
  • stacy.lnk                               
  • Rena.lnk                                
  • Kelley.lnk                              
  • Tammy.lnk                               
  • Picture.lnk                             
  • My Photos.lnk                           
  • Photoalbum.lnk                          

Fortunately, the fact that Microsoft published the patch last week should severely impede the effectiveness of this attack. Again, we advise you to keep your antivirus software up to date and make sure your operating system is properly patched against this nasty vulnerability.