W32.Sality is a file infector that spreads by infecting executable files and by replicating itself across network shares. Infected hosts join a peerto-peer network used to propagate malware on the compromised computer. Typically, those additional programs will be used to relay spam, proxy communications, steal private information, infect Web servers or achieve distributed computing tasks, such as password cracking.
The combination of file infection mechanism and the fully decentralized peer-to-peer network, along with other anti-security measures, make Sality one of the most effective and resilient malware in today’s threat landscape. Estimations show that hundreds of thousands of machines are infected by Sality.
This paper will give an overview of Sality and briefly describe the architecture of the malware. The core of this paper focuses on the peer-topeer characteristics of Sality, and examines its strengths and potential limitations. Finally, I will describe current trends and metrics for Sality.