Sality, the virus that turned into the ultimate malware

Computer threats are continuously evolving, and there is who would even pretend that they did the leap from the machine to man by infecting RFID microchips installed under the skin. But even though they remain a “simple” IT issue, some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design capable of constantly putting security companies under pressure. A remarkable “intelligent” threat is for instance Sality, the new generation file virus that according to Symantec has practically turned into an “all-in-one” malware incorporating botnet-alike functionalities as well.

At first appeared during 2003 in Russia, Sality has eventually changed from a traditional file virus - an “historical” type of malware which uses an executable vector like a program file to spread - to a complex menace provided with features including virus, trojan, backdoor, keylogger, rootkit, downloader types. Recently Sality gained one of the features it was still lacking, when variants of the virus appeared showing botnet functionalities and the ability to communicate on a peer-to-peer decentralized network.

Symantec investigated those new variants identifying their pyramid structure, where the botnet component serves to provide an encrypted and always up-to-date URLs list from which the downloader can get new malicious code - that is Sality’s final goal, the USA company says. Sality’s botnet protocol, Symantec senior software engineer Nicolas Falliere writes, contacts an initial peers list with 1000 entries at most embedded within the virus body, searching for an active client able to correctly communicate with the bot.

Once it has set up a communication channel, Sality checks for the availability of updated “packages” of URLs to give to the downloader component, otherwise it provides its own URLs list if the local package is newer than the one of the contacted peer and instructs the peer to send the IP address and the port of another client available on the botnet. This way Sality is able to constantly update (and transfer in every single infected executable file) both the remote addresses list from which to download payloads and the active bots list.

The P2P mechanism employed by Sality uses the UDP protocol and listens directly on network interfaces, two features that greatly decrease its effectiveness in the not so uncommon case where the infected system is behind a firewall or a router. Even considering this important fault, Symantec says, “Sality is a complex and complete threat” equipped with almost every malicious code feature, incorporating an “advanced file infector, efficient security products disabler, and flexible and decentralized P2P capabilities to propagate URLs and avoid static DNS or IP lockdown by authorities“.

From an analysis performed with a “rogue P2P client” coded to become part of the malicious network, Symantec has determined that the Sality botnet covers something like 100.000 computers. It’s a bots figure below the one achieved by giants like Conficker but similar in size to other botnets as Storm, Pandex and Rustock. What remains clear is the demonstration of Sality’s unique threat, a malware floating around since seven years that shows no intention to quickly disappear from the net.