1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
1.3 Address blocking
1.4 Network port blocking
1.5 Network shares
2. Infection method
2.1 Network shares
3. Functionality
3.1 System modifications
3.2 Process injection
3.3 Lowers security settings
3.4 Infection Functionality
3.5 Downloader capabilities
3.6 Network activity
4. Additional information
1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.
1.1 User behavior and precautions
Users are advised not to open or execute files from unknown sources.
It is also advisable to disconnect removable drives when not required. If write access is not required, enable the read only mode if the option is available.
Users should disable AutoPlay to prevent automatic launching of executable files on removable drives. More information may be found by reading this article:
How to prevent a virus from spreading using the 'AutoRun' feature.
Users should turn off file sharing if its use is not required. If file sharing is required, users should use ACLs and password protection to limit access. In addition to this, the use of a firewall or IDS may block or detect back door server communications with remote client applications.
1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and antivirus and firewall software are up to date and operational. It is also recommended that users turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.
1.3 Address blocking
While the domains will vary with new variants, we have recently observed the following domains in use. Block access to the following addresses using a firewall, router or add entries to the local hosts files to redirect the following addresses to 127.0.0.1:
- 89.119.67.154
- balsfhkewo7i487fksd.info
- bcash-ddt.net
- bclr-cash.net
- bddr-cash.net
- bmakemegood24.com
- bmoney-frn.net
- bperfectchoice1.com
- bpowqbvcfds677.info
- btrn-cash.net
- buynvf96.info
- bxxxl-cash.net
- kjwre77638dfqwieuoi.info
- kjwre9fqwieluoi.info
- kukutrustnet777.info
- kukutrustnet888.info
- kukutrustnet987.info
- oceaninfo.co.kr
- pedmeo222nb.info
- pzrk.ru
- technican.w.interia.pl
1.4 Network port blocking
The virus generates a random listening port based on the computer name and current executable file name, but may also use a default port. Blocking the following default port at network perimeter will help to reduce the risk to your computer:
UDP port 9674
1.5 Network shares
This threat is also known to spread inside large network by using shares, the following steps can help protect your computer against this threat.
- Users are advised to ensure that all network shares are only opened when they are necessary for use.
- Use a strong password to guard any shared folders or accounts. A strong password is a password that is of sufficient length of 8 or more characters. The password should also use a combination of numeric, capital, lowercase characters and symbols. Commonly used words from everyday language should not be used as they may easily be defeated by a dictionary attack.
- Disable the autorun feature to prevent dropped files from running automatically when a network drive is opened.
- For more information about the autorun feature and how to disable it, please review this blog entry.
2. INFECTION METHOD
W32.Sality will infect executable files on local, removable and remote shared drives. W32.Sality replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been inserted in the last section of the host file.
In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for the following registry subkeys to infect the executables associated with that subkey, including those executables that run when Windows starts:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
2.1 Network shares
W32.Sality may iterate all available network shares and infect executable files on the remote shares.
3. FUNCTIONALITY
W32.Sality has five main areas of functionality, aside from System modifications, that we’ll cover more in-depth below.
- Injects itself into processes so it is able to load downloaded DLLs into target processes.
- Compromises security settings
- Infects files on local drives and removable media
- Downloads files and URLs
- Creates a peer-to-peer (P2P) botnet
System modifications made by the virus create side effects on the compromised computer.
Note: Side effects created by associated threats are not included in this report.
3.1 SYSTEM MODIFICATIONS
The following side effects may be observed on computers compromised by members of threat family.
Files created
%System%\drivers\[RANDOM FILE NAME]
Files or folders deleted
None
Files or folders modified
None
Registry subkeys created
It creates the following registry subkeys:
- HKEY_CURRENT_USER\Software\[USER NAME]914
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WMI_MFC_TPSHOKER_80
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_IPFILTERDRIVER
Registry entries deleted
This virus deletes entries in the following registry subkeys:
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Registry entries modified (final values given)
It also modifies the following registry entries:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"
3.2 Process injection
W32.Sality will not inject into processes that belong to the system, the local service or the network service. However, it does inject complex code instructions into other processes, allowing the code to load external DLLs that are downloaded from remote servers into target processes. This virus uses a named mutex based on the injected process ID (PID) for each injection so that it avoid repeatedly injecting code into the same processes.
3.3 Lowers security
The virus attempts to prevent the compromised computer from starting into Safe Mode by deleting all entries located in the following registry subkeys:
- HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
The virus starts the Windows IP Filter Driver service and drops an embedded driver to the following location:
%System%\drivers\[RANDOM FILE NAME]
It then creates and starts a service to load the driver. The driver blocks access to a variety of security software vendor web sites.
The virus then disables security software services and ends security software processes. It also disables registry editing and the task manager.
3.4 Infection Functionality
This virus checks that a file is not protected by the Windows file protection mechanism (SFC) before trying to infect it. It then infects unprotected executable files on local, removable and remote shared drives. At the entry point of the executable, it replaces the original host code to redirect execution to the polymorphic viral code located in the last section of the host file.
It also infects executables connected to the registry subkeys:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3.5 Downloader capabilities
The virus downloads and executes a variety of files including pay per install executables such as misleading applications. The flexibility of the downloader functionality lies in the continuous exchange of URL lists.
W32.Sality also contains an initial list of URLs to download and execute and may receive new URLs from other infected peers.
It will either directly download, decrypt, and execute the specified binary or download a list of URLs, then download, decrypt, or execute each URL in the list.
3.6 Network Activity
W32.Sality participates in a peer-to-peer botnet using UDP. A variable listening port is generated (minimum 2199) based on the computer name and current executable file name and in some cases defaults to 9674.
It also contains a preconfigured list of up to 1000 peers (IP address and UDP port pairs). The goal of the P2P network is to exchange lists of URLs to feed to the downloader functionality. The P2P protocol offers only a few commands, the most important being:
- Ask a peer for its list of URLs
- Give a peer its own URL package
- Ask a peer to send the IP address and port of another peer in the botnet, in order to keep the list of peers up-to-date
All the peer-to-peer traffic is encrypted by means of RC4 encryption using static hard-coded keys.
Downloading
The virus downloads files based on predetermined URLs contained in exchanged lists. These files can include additional malware threats and pay per install applications. It is possible that downloaded files may be updated versions of the virus.
Uploading
W32.Sality will upload its own URL package to a peer.
Other network activity
None
4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
