Upload
totaldefense
View
271
Download
1
Embed Size (px)
DESCRIPTION
A new variant of Sality, a memory resident parasitic virus that uses an upgraded version of Simple Poly Engine v1.2a (c) sector has surfaced. Visit http://blogs.totaldefense.com/securityblog.aspxfor cloud-based endpoint security solutions for home and businesses.
Citation preview
Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 1
Sality gets upgrade
Sality is a family of polymorphic memory resident Win32 parasitic viruses with driver component. First
discovered many years ago, the virus is still found in the wild, although antiviruses detect known
variants and prevent infection, the real problem is new emerging upgraded variants.
The parasitic viruses are especially harmful because unlike Trojans, they infect many user's files, so all
these files must be cured. The cure is not always possible because the viruses sometimes infect
incorrectly causing file corruption, which is the case also with Sality. Then the only option is to
reinstall infected programs. This affects the computer that becomes inoperable for long time.
Additionally, Sality is a memory resident virus. This means that viral code runs not only in infected file
,but also in threads injected into many processes. It is not enough to kill infected the process, but need
also to stop injected threads.This should be done fast and repeatedly because the virus re-infects the
memory and a process that was just cured could become re-infected again. The memory cure can be
performed using memory cleaning utility. Another option is to boot from clean media or from network
to avoid virus from running in memory, and then to cure files, obviously this requires stopping infected
computer operation.
Recently new variant was found. This variant is detected by the older detection of Win32/Sality.AA
using generic routine that was upgraded for the new variant.
Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 2
This variant uses upgraded version of polymorphic engine called "Simple Poly Engine v1.2a (c) sector" ;
previous variants used version v1.1a.To understand the difference, consider the structure of the virus.
The virus ,depending on variant, either creates additional section at end of file ,or expands the last
section, and puts its encrypted body to end of file. This variant always expands existing last section.
Then a code at entry point is overwritten with polymorphic loader that transfers the control to the
virus. The loader is intended to be very obfuscated to avoid detection. What's new in this variant is
that a Call or Jump near (E8 or E9) commands can be used to jump to virus body, in addition to
methods used in previous variants. In older variants less common and more virus specific command
sequences were used. Additionally,the virus uses meaningless import function calls always with
argument 0, for example:
mov eax,0
push eax
call CloseHandle
In the recent variant assignment 0 to register used is done with more obfuscated ways.
The subsequent work of the worm is not essentially different from other variants, only names used and
some details differ.
The worm infects memory and then begins to infect files slowly, not more than 20 files at once.
Replicates in the network by dropping infected files to the root of all drives, including hard drive C:, a
specially crafted file displaying content of the drive root folder, and infected with the virus. Also
Autorun.inf referring this file is created to make the system run it every time.
The virus creates mutex named ‘purity_control_4428’ and ‘kukutrusted!’ to verify whether it is
running.
Copyright © 2013 TotalDefense, Inc. | All rights reserved www.totaldefense.com Page 3
URLs used by the virus (some digits removed):
http://89.???.???.???/testo5
http://kukutrustnet???.info/home.gif
http://www.klkjwre?????eluoi.info
Creates driver named amsint32.sys that monitors network and prevents antivirus updates.
The virus looks for number of antivirus and monitoring programs, including Total Defense AV and tries
to kill them.
About TotalDefense:
Total Defense(@Total_Defense) is a global leader in malware detection and anti-crimeware solutions. We offer a broad portfolio of leading security products for the consumer market used by over four million consumers worldwide. Our solutions also include the industry’s first complete cloud security platform, providing fully integrated endpoint, web and email security through a single Web-based management console with a single set of enforceable security policies
Total Defense is a former business of CA Technologies, one of the largest software companies in the world, and has operations in New York, California, Europe, Israel and Asia.
Visit http://www.totaldefense.com/ for web, cloud & mobile security solutions for home users and businesses.