SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sality (Back to overview)

Sality

Actor(s): Salty Spider


F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.

Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.

Infection
Sality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.

Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.

Payload
Once installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.

References
2022-07-14DragosSam Hanson
@online{hanson:20220714:trojan:831b636, author = {Sam Hanson}, title = {{The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators}}, date = {2022-07-14}, organization = {Dragos}, url = {https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/}, language = {English}, urldate = {2022-07-18} } The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
Sality
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2021-10-27MandiantKen Proska, Corey Hildebrandt, Daniel Kapellmann Zafra, Nathan Brubaker
@online{proska:20211027:portable:437b9c1, author = {Ken Proska and Corey Hildebrandt and Daniel Kapellmann Zafra and Nathan Brubaker}, title = {{Portable Executable File Infecting Malware Is Increasingly Found in OT Networks}}, date = {2021-10-27}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/pe-file-infecting-malware-ot}, language = {English}, urldate = {2021-11-08} } Portable Executable File Infecting Malware Is Increasingly Found in OT Networks
CCleaner Backdoor Floxif neshta Ramnit Sality Virut
2020-05-24Palo Alto Networks Unit 42Ajaya Neupane, Stefan Achleitner
@online{neupane:20200524:using:2f77c1c, author = {Ajaya Neupane and Stefan Achleitner}, title = {{Using AI to Detect Malicious C2 Traffic}}, date = {2020-05-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/c2-traffic/}, language = {English}, urldate = {2021-06-09} } Using AI to Detect Malicious C2 Traffic
Emotet Sality
2017-10-29quangnh89
@online{quangnh89:20171029:sality:c8a91cd, author = {quangnh89}, title = {{Sality Configuration Extractor (sality_extractor.py)}}, date = {2017-10-29}, url = {https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py}, language = {Python}, urldate = {2021-05-08} } Sality Configuration Extractor (sality_extractor.py)
Sality
2017-05IEEELorenzo De Carli, Ruben Torres, Gaspar Modelo-Howard, Alok Tongaonkar, Somesh Jha
@online{carli:201705:botnet:18f6b9a, author = {Lorenzo De Carli and Ruben Torres and Gaspar Modelo-Howard and Alok Tongaonkar and Somesh Jha}, title = {{Botnet Protocol Inference in the Presence of Encrypted Traffic}}, date = {2017-05}, organization = {IEEE}, url = {https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail}, language = {English}, urldate = {2021-10-11} } Botnet Protocol Inference in the Presence of Encrypted Traffic
Ramnit Sality ZeroAccess
2015-12-02BotconfPeter Kleissner
@techreport{kleissner:20151202:sality:791ea01, author = {Peter Kleissner}, title = {{Sality: 2003 - Today}}, date = {2015-12-02}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf}, language = {English}, urldate = {2020-01-13} } Sality: 2003 - Today
Sality
2011-07SymantecNicolas Falliere
@techreport{falliere:201107:sality:85158ba, author = {Nicolas Falliere}, title = {{Sality: Story of a Peerto-Peer Viral Network}}, date = {2011-07}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf}, language = {English}, urldate = {2019-11-28} } Sality: Story of a Peerto-Peer Viral Network
Sality
Yara Rules
[TLP:WHITE] win_sality_auto (20230715 | Detects win.sality.)
rule win_sality_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.sality."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 51 ff15???????? 8d95fcfeffff 52 ff15???????? 8b85d4fdffff }
            // n = 6, score = 400
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   8d95fcfeffff         | lea                 edx, [ebp - 0x104]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b85d4fdffff         | mov                 eax, dword ptr [ebp - 0x22c]

        $sequence_1 = { 51 ff15???????? a3???????? 833d????????00 7505 }
            // n = 5, score = 400
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   a3????????           |                     
            //   833d????????00       |                     
            //   7505                 | jne                 7

        $sequence_2 = { 66ab aa c78574efffff00000000 c78578efffff00000000 c78568eeffff00000000 33c0 89856ceeffff }
            // n = 7, score = 400
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   c78574efffff00000000     | mov    dword ptr [ebp - 0x108c], 0
            //   c78578efffff00000000     | mov    dword ptr [ebp - 0x1088], 0
            //   c78568eeffff00000000     | mov    dword ptr [ebp - 0x1198], 0
            //   33c0                 | xor                 eax, eax
            //   89856ceeffff         | mov                 dword ptr [ebp - 0x1194], eax

        $sequence_3 = { 66ab aa ff15???????? a3???????? a1???????? }
            // n = 5, score = 400
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   ff15????????         |                     
            //   a3????????           |                     
            //   a1????????           |                     

        $sequence_4 = { 66ab aa c785d4fdffff00000000 8d85ccfdffff 8985ccfdffff c785c8fdffff00000000 68f8000000 }
            // n = 7, score = 400
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   c785d4fdffff00000000     | mov    dword ptr [ebp - 0x22c], 0
            //   8d85ccfdffff         | lea                 eax, [ebp - 0x234]
            //   8985ccfdffff         | mov                 dword ptr [ebp - 0x234], eax
            //   c785c8fdffff00000000     | mov    dword ptr [ebp - 0x238], 0
            //   68f8000000           | push                0xf8

        $sequence_5 = { 66ab aa c785bcfeffff00000000 b94f000000 33c0 8dbdc0feffff f3ab }
            // n = 7, score = 400
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   c785bcfeffff00000000     | mov    dword ptr [ebp - 0x144], 0
            //   b94f000000           | mov                 ecx, 0x4f
            //   33c0                 | xor                 eax, eax
            //   8dbdc0feffff         | lea                 edi, [ebp - 0x140]
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax

        $sequence_6 = { 833d????????00 7e0d 6800010000 ff15???????? ebea }
            // n = 5, score = 400
            //   833d????????00       |                     
            //   7e0d                 | jle                 0xf
            //   6800010000           | push                0x100
            //   ff15????????         |                     
            //   ebea                 | jmp                 0xffffffec

        $sequence_7 = { 66ab aa c785f4efffff00000000 c785f8efffff00000000 c745fc00000000 }
            // n = 5, score = 400
            //   66ab                 | stosw               word ptr es:[edi], ax
            //   aa                   | stosb               byte ptr es:[edi], al
            //   c785f4efffff00000000     | mov    dword ptr [ebp - 0x100c], 0
            //   c785f8efffff00000000     | mov    dword ptr [ebp - 0x1008], 0
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_8 = { ff95bc154000 85c0 7403 eb0c 58 e8???????? }
            // n = 6, score = 200
            //   ff95bc154000         | call                dword ptr [ebp + 0x4015bc]
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   eb0c                 | jmp                 0xe
            //   58                   | pop                 eax
            //   e8????????           |                     

        $sequence_9 = { 8b5d0c b11c 8b4508 d3e8 }
            // n = 4, score = 200
            //   8b5d0c               | mov                 ebx, dword ptr [ebp + 0xc]
            //   b11c                 | mov                 cl, 0x1c
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   d3e8                 | shr                 eax, cl

        $sequence_10 = { 03763c 813e50450000 0f857d000000 8b7c2410 b996000000 32c0 f2ae }
            // n = 7, score = 200
            //   03763c               | add                 esi, dword ptr [esi + 0x3c]
            //   813e50450000         | cmp                 dword ptr [esi], 0x4550
            //   0f857d000000         | jne                 0x83
            //   8b7c2410             | mov                 edi, dword ptr [esp + 0x10]
            //   b996000000           | mov                 ecx, 0x96
            //   32c0                 | xor                 al, al
            //   f2ae                 | repne scasb         al, byte ptr es:[edi]

        $sequence_11 = { 1c69 2f 8803 43 80e904 73ec }
            // n = 6, score = 200
            //   1c69                 | sbb                 al, 0x69
            //   2f                   | das                 
            //   8803                 | mov                 byte ptr [ebx], al
            //   43                   | inc                 ebx
            //   80e904               | sub                 cl, 4
            //   73ec                 | jae                 0xffffffee

        $sequence_12 = { 8dbd5d154000 b909000000 f3a6 750e }
            // n = 4, score = 200
            //   8dbd5d154000         | lea                 edi, [ebp + 0x40155d]
            //   b909000000           | mov                 ecx, 9
            //   f3a6                 | repe cmpsb          byte ptr [esi], byte ptr es:[edi]
            //   750e                 | jne                 0x10

        $sequence_13 = { 73ec 8b450c c9 c20800 }
            // n = 4, score = 200
            //   73ec                 | jae                 0xffffffee
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   c9                   | leave               
            //   c20800               | ret                 8

        $sequence_14 = { 8b4510 ff35???????? 8f80b8000000 ff35???????? 8f80c4000000 }
            // n = 5, score = 200
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   ff35????????         |                     
            //   8f80b8000000         | pop                 dword ptr [eax + 0xb8]
            //   ff35????????         |                     
            //   8f80c4000000         | pop                 dword ptr [eax + 0xc4]

        $sequence_15 = { 52 50 ff95bc154000 85c0 7415 }
            // n = 5, score = 200
            //   52                   | push                edx
            //   50                   | push                eax
            //   ff95bc154000         | call                dword ptr [ebp + 0x4015bc]
            //   85c0                 | test                eax, eax
            //   7415                 | je                  0x17

        $sequence_16 = { 8b4508 df28 df7de0 df6de0 d81d???????? }
            // n = 5, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   df28                 | fild                qword ptr [eax]
            //   df7de0               | fistp               qword ptr [ebp - 0x20]
            //   df6de0               | fild                qword ptr [ebp - 0x20]
            //   d81d????????         |                     

        $sequence_17 = { 3a4411ff 7454 8b4d08 8b4508 85c0 }
            // n = 5, score = 100
            //   3a4411ff             | cmp                 al, byte ptr [ecx + edx - 1]
            //   7454                 | je                  0x56
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax

        $sequence_18 = { e8???????? 68???????? a1???????? ff7074 e8???????? }
            // n = 5, score = 100
            //   e8????????           |                     
            //   68????????           |                     
            //   a1????????           |                     
            //   ff7074               | push                dword ptr [eax + 0x74]
            //   e8????????           |                     

        $sequence_19 = { 8948fc c6040800 eb25 51 e8???????? 8b13 }
            // n = 6, score = 100
            //   8948fc               | mov                 dword ptr [eax - 4], ecx
            //   c6040800             | mov                 byte ptr [eax + ecx], 0
            //   eb25                 | jmp                 0x27
            //   51                   | push                ecx
            //   e8????????           |                     
            //   8b13                 | mov                 edx, dword ptr [ebx]

        $sequence_20 = { 83c410 e9???????? ff33 e8???????? 83c304 ff4c2414 }
            // n = 6, score = 100
            //   83c410               | add                 esp, 0x10
            //   e9????????           |                     
            //   ff33                 | push                dword ptr [ebx]
            //   e8????????           |                     
            //   83c304               | add                 ebx, 4
            //   ff4c2414             | dec                 dword ptr [esp + 0x14]

        $sequence_21 = { 83f8ff 7505 e9???????? 56 e8???????? }
            // n = 5, score = 100
            //   83f8ff               | cmp                 eax, -1
            //   7505                 | jne                 7
            //   e9????????           |                     
            //   56                   | push                esi
            //   e8????????           |                     

        $sequence_22 = { ff75f3 e8???????? 85c0 754d 68???????? }
            // n = 5, score = 100
            //   ff75f3               | push                dword ptr [ebp - 0xd]
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   754d                 | jne                 0x4f
            //   68????????           |                     

        $sequence_23 = { 50 53 8bd8 0bc9 7518 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   53                   | push                ebx
            //   8bd8                 | mov                 ebx, eax
            //   0bc9                 | or                  ecx, ecx
            //   7518                 | jne                 0x1a

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules