Malware descriptions

A new version of Sality at large

Last Friday, Kaspersky Lab’s experts detected a new variant of Sality.aa, which is at present the most popular polymorphic virus. Sality.aa last mutated about a year ago, and the change was not too dramatic. However, within the last two years this virus has remained one of the TOP-5 malicious programs most often detected on users’ computers. Sality’s previous variants were not as popular. After Sality.aa, a new version called Sality.ae came out, which used the EPO infection technique. However, it failed to gain any ground with cybercriminals as it used a simple decrypting algorithm and an inefficient infection technique. All subsequent versions of the malicious program failed to win popularity as well due to their very simple decrypting algorithms.

The newly discovered variant was dubbed Sality.ag. Why so much interested in this one? It contains a fundamentally new decryption algorithm and a host of ‘advanced features’. As we see it, the new variant has every chance of replacing the older Sality.aa version and is likely to become very popular.

Due to its functional capabilities, this virus should be classified as a backdoor. Once within a system, the first thing that Sality.ag does is to install its DLL and a driver to filter the Internet traffic. The DLL is used to repel any types of security software and firewalls.

Below is a screenshot of the unpacked DLL. It contains lines which demonstrate the virus’ capability to resist security software: “avast! Self Protection”, “NOD32krn”, “Avira AntiVir Premium”, “DRWEBSCD” etc. Sality uses one of the simplest ways to shut off an antivirus: it attempts to close all windows and terminate all processes with names associated with security products.


A screenshot of a part of the unpacked DLL used by Sality.ag

The virus also writes extra records to the system registry which would terminate TaskManager and UAC, and adds the driver to the registry branch “SystemCurrentControlSetControlSafeBoot”. This allows the driver to boot in safe mode.

The driver creates a device called “amsint32” and communicates with “DeviceIPFILTERDRIVER”, the IP-packet filter driver, so that it can filter any Internet traffic. The driver file is contained in the DLL stored within the virus body and packed with UPX.

At the same time, the main body of the virus creates synchronization objects to identify launches of the infected files “uxJLpe1m” and “Ap1mutx7”. It also installs the above DLL and downloads service data from the below URLs:






Having finished all the arrangements, Sality attempts to establish a connection to a remote C&C server and continues operation as a regular backdoor, executing any commands it receives from the C&server.

The infection technique employed remains similar to that used in Sality.aa, the previous variant. The entry point code is replaced with an instruction to jump to the main body. The jump instruction is a regular “jump indirect on the register” (jmp reg) instruction which is heavily obfuscated. The body size is 0x11000 bytes and is located at the end of the last section which is expanded for this purpose. “Write-accessible” and “execution enabled” flags are added to the section. The first 0x1000 bytes of the code are heavily obfuscated and perform decryption of the rest of the code. While Sality.aa used the RC4 algorithm, this version uses an algorithm that deciphers two double words in one cycle. Each cycle includes 0x3F iterations which use the add, subtract and shift operations and involve a table of double words at start of the infected portion.

A new version of Sality at large

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox