1. /
  2. Security Response/
  3. W32.Sality

W32.Sality

Risk Level 2: Low

Discovered:
June 4, 2003
Updated:
April 30, 2013 11:11:54 AM
Also Known As:
W32/Kookoo-A [Sophos]
Type:
Virus
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
1.3 Address blocking
1.4 Network port blocking
1.5 Network shares
2. Infection method
2.1 Network shares
3. Functionality
3.1 System modifications
3.2 Process injection
3.3 Lowers security settings
3.4 Infection Functionality
3.5 Downloader capabilities
3.6 Network activity
4. Additional information



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Users are advised not to open or execute files from unknown sources.

It is also advisable to disconnect removable drives when not required. If write access is not required, enable the read only mode if the option is available.

Users should disable AutoPlay to prevent automatic launching of executable files on removable drives. More information may be found by reading this article: How to prevent a virus from spreading using the 'AutoRun' feature.

Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.


1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and antivirus and firewall software are up to date and operational. It is also recommended that users turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.


1.3 Address blocking
While the domains will vary with new variants, we have recently observed the following domains in use. Block access to the following addresses using a firewall, router or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:
  • 89.119.67.154
  • balsfhkewo7i487fksd.info
  • bcash-ddt.net
  • bclr-cash.net
  • bddr-cash.net
  • bmakemegood24.com
  • bmoney-frn.net
  • bperfectchoice1.com
  • bpowqbvcfds677.info
  • btrn-cash.net
  • buynvf96.info
  • bxxxl-cash.net
  • kjwre77638dfqwieuoi.info
  • kjwre9fqwieluoi.info
  • kukutrustnet777.info
  • kukutrustnet888.info
  • kukutrustnet987.info
  • oceaninfo.co.kr
  • pedmeo222nb.info
  • pzrk.ru
  • technican.w.interia.pl


1.4 Network port blocking

The virus generates a random listening port based on the computer name and current executable file name, but may also use a default port. Blocking the following default port at network perimeter will help to reduce the risk to your computer:
UDP port 9674


1.5 Network shares
This threat is also known to spread inside large network by using shares, the following steps can help protect your computer against this threat.
  • Users are advised to ensure that all network shares are only opened when they are necessary for use.
  • Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital, lowercase characters and symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.
  • Disable the autorun feature to prevent dropped files from running automatically when a network drive is opened.
  • For more information about the autorun feature and how to disable it, please review this blog entry.



2. INFECTION METHOD
W32.Sality will infect executable files on local, removable and remote shared drives. W32.Sality replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been inserted in the last section of the host file.



In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for the following registry subkeys to infect the executables associated with that subkey, including those executables that run when Windows starts:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


2.1 Network shares

W32.Sality may iterate all available network shares and infect executable files on the remote shares.



3. FUNCTIONALITY

W32.Sality has five main areas of functionality, aside from System modifications, that we’ll cover more in-depth below.
  • Injects itself into processes so it is able to load downloaded DLLs into target processes.
  • Compromises security settings
  • Infects files on local drives and removable media
  • Downloads files and URLs
  • Creates a peer-to-peer (P2P) botnet
System modifications made by the virus create side effects on the compromised computer.

Note: Side effects created by associated threats are not included in this report.


3.1 SYSTEM MODIFICATIONS
The following side effects may be observed on computers compromised by members of threat family.

Files created
%System%\drivers\[RANDOM FILE NAME]

Files or folders deleted
None

Files or folders modified
None

Registry subkeys created

It creates the following registry subkeys:
  • HKEY_CURRENT_USER\Software\[USER NAME]914
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER

Registry entries deleted

This virus deletes entries in the following registry subkeys:
  • HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Registry entries modified (final values given)
It also modifies the following registry entries:
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"


3.2 Process injection
W32.Sality will not inject into processes that belong to the system, the local service or the network service. However, it does inject complex code instructions into other processes, allowing the code to load external DLLs that are downloaded from remote servers into target processes. This virus uses a named mutex based on the injected process ID (PID) for each injection so that it avoid repeatedly injecting code into the same processes.


3.3 Lowers security
The virus attempts to prevent the compromised computer from starting into Safe Mode by deleting all entries located in the following registry subkeys:
  • HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

The virus starts the Windows IP Filter Driver service and drops an embedded driver to the following location:
%System%\drivers\[RANDOM FILE NAME]

It then creates and starts a service to load the driver. The driver blocks access to a variety of security software vendor web sites.

The virus then disables security software services and ends security software processes. It also disables registry editing and the task manager.


3.4 Infection Functionality
This virus checks that a file is not protected by the Windows file protection mechanism (SFC) before trying to infect it. It then infects unprotected executable files on local, removable and remote shared drives. At the entry point of the executable, it replaces the original host code to redirect execution to the polymorphic viral code located in the last section of the host file.

It also infects executables connected to the registry subkeys:
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


3.5 Downloader capabilities

The virus downloads and executes a variety of files including pay per install executables such as misleading applications. The flexibility of the downloader functionality lies in the continuous exchange of URL lists.

W32.Sality also contains an initial list of URLs to download and execute and may receive new URLs from other infected peers.

It will either directly download, decrypt, and execute the specified binary or download a list of URLs, then download, decrypt, or execute each URL in the list.


3.6 Network Activity
W32.Sality participates in a peer-to-peer botnet using UDP. A variable listening port is generated (minimum 2199) based on the computer name and current executable file name and in some cases defaults to 9674.

It also contains a preconfigured list of up to 1000 peers (IP address and UDP port pairs). The goal of the P2P network is to exchange lists of URLs to feed to the downloader functionality. The P2P protocol offers only a few commands, the most important being:
  • Ask a peer for its list of URLs
  • Give a peer its own URL package
  • Ask a peer to send the IP address and port of another peer in the botnet, in order to keep the list of peers up-to-date
All the peer-to-peer traffic is encrypted by means of RC4 encryption using static hard-coded keys.

Downloading
The virus downloads files based on predetermined URLs contained in exchanged lists. These files can include additional malware threats and pay per install applications. It is possible that downloaded files may be updated versions of the virus.

Uploading
W32.Sality will upload its own URL package to a peer.


Other network activity
None


4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Angela Thigpen and Eric Chien
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver