A new version of Sality at large

Last Friday, Kaspersky Lab’s experts detected a new variant of Sality.aa, which is at present the most popular polymorphic virus. Sality.aa last mutated about a year ago, and the change was not too dramatic. However, within the last two years this virus has remained one of the TOP-5 malicious programs most often detected on users’ computers. Sality’s previous variants were not as popular. After Sality.aa, a new version called Sality.ae came out, which used the EPO infection technique. However, it failed to gain any ground with cybercriminals as it used a simple decrypting algorithm and an inefficient infection technique. All subsequent versions of the malicious program failed to win popularity as well due to their very simple decrypting algorithms.

The newly discovered variant was dubbed Sality.ag. Why so much interested in this one? It contains a fundamentally new decryption algorithm and a host of ‘advanced features’. As we see it, the new variant has every chance of replacing the older Sality.aa version and is likely to become very popular.

Due to its functional capabilities, this virus should be classified as a backdoor. Once within a system, the first thing that Sality.ag does is to install its DLL and a driver to filter the Internet traffic. The DLL is used to repel any types of security software and firewalls.

Below is a screenshot of the unpacked DLL. It contains lines which demonstrate the virus’ capability to resist security software: “avast! Self Protection”, “NOD32krn”, “Avira AntiVir Premium”, “DRWEBSCD” etc. Sality uses one of the simplest ways to shut off an antivirus: it attempts to close all windows and terminate all processes with names associated with security products.

A screenshot of a part of the unpacked DLL used by Sality.ag

The virus also writes extra records to the system registry which would terminate TaskManager and UAC, and adds the driver to the registry branch “SystemCurrentControlSetControlSafeBoot”. This allows the driver to boot in safe mode.

The driver creates a device called “amsint32” and communicates with “DeviceIPFILTERDRIVER”, the IP-packet filter driver, so that it can filter any Internet traffic. The driver file is contained in the DLL stored within the virus body and packed with UPX.

At the same time, the main body of the virus creates synchronization objects to identify launches of the infected files “uxJLpe1m” and “Ap1mutx7”. It also installs the above DLL and downloads service data from the below URLs:

http://sagocugenc.sa.funpic.de/images/*****[.]gif
http://www.eleonuccorini.com/images/*****[.]gif
http://www.cityofangelsmagazine.com/images/*****[.]gif
http://www.21yybuyukanadolu.com/images/*****[.]gif
http://yucelcavdar.com/*****[.]gif
http://www.luster-adv.com/gallery/Fusion/images/*****[.]gif

Having finished all the arrangements, Sality attempts to establish a connection to a remote C&C server and continues operation as a regular backdoor, executing any commands it receives from the C&server.

The infection technique employed remains similar to that used in Sality.aa, the previous variant. The entry point code is replaced with an instruction to jump to the main body. The jump instruction is a regular “jump indirect on the register” (jmp reg) instruction which is heavily obfuscated. The body size is 0x11000 bytes and is located at the end of the last section which is expanded for this purpose. “Write-accessible” and “execution enabled” flags are added to the section. The first 0x1000 bytes of the code are heavily obfuscated and perform decryption of the rest of the code. While Sality.aa used the RC4 algorithm, this version uses an algorithm that deciphers two double words in one cycle. Each cycle includes 0x3F iterations which use the add, subtract and shift operations and involve a table of double words at start of the infected portion.