SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sality (Back to overview)

Sality

Actor(s): Salty Spider


F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.

Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.

Infection
Sality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.

Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.

Payload
Once installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.

References
2022-07-14DragosSam Hanson
@online{hanson:20220714:trojan:831b636, author = {Sam Hanson}, title = {{The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators}}, date = {2022-07-14}, organization = {Dragos}, url = {https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/}, language = {English}, urldate = {2022-07-18} } The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
Sality
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2021-10-27MandiantKen Proska, Corey Hildebrandt, Daniel Kapellmann Zafra, Nathan Brubaker
@online{proska:20211027:portable:437b9c1, author = {Ken Proska and Corey Hildebrandt and Daniel Kapellmann Zafra and Nathan Brubaker}, title = {{Portable Executable File Infecting Malware Is Increasingly Found in OT Networks}}, date = {2021-10-27}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/pe-file-infecting-malware-ot}, language = {English}, urldate = {2021-11-08} } Portable Executable File Infecting Malware Is Increasingly Found in OT Networks
CCleaner Backdoor Floxif neshta Ramnit Sality Virut
2020-05-24Palo Alto Networks Unit 42Ajaya Neupane, Stefan Achleitner
@online{neupane:20200524:using:2f77c1c, author = {Ajaya Neupane and Stefan Achleitner}, title = {{Using AI to Detect Malicious C2 Traffic}}, date = {2020-05-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/c2-traffic/}, language = {English}, urldate = {2021-06-09} } Using AI to Detect Malicious C2 Traffic
Emotet Sality
2017-10-29quangnh89
@online{quangnh89:20171029:sality:c8a91cd, author = {quangnh89}, title = {{Sality Configuration Extractor (sality_extractor.py)}}, date = {2017-10-29}, url = {https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py}, language = {Python}, urldate = {2021-05-08} } Sality Configuration Extractor (sality_extractor.py)
Sality
2017-05IEEELorenzo De Carli, Ruben Torres, Gaspar Modelo-Howard, Alok Tongaonkar, Somesh Jha
@online{carli:201705:botnet:18f6b9a, author = {Lorenzo De Carli and Ruben Torres and Gaspar Modelo-Howard and Alok Tongaonkar and Somesh Jha}, title = {{Botnet Protocol Inference in the Presence of Encrypted Traffic}}, date = {2017-05}, organization = {IEEE}, url = {https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail}, language = {English}, urldate = {2021-10-11} } Botnet Protocol Inference in the Presence of Encrypted Traffic
Ramnit Sality ZeroAccess
2015-12-02BotconfPeter Kleissner
@techreport{kleissner:20151202:sality:791ea01, author = {Peter Kleissner}, title = {{Sality: 2003 - Today}}, date = {2015-12-02}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf}, language = {English}, urldate = {2020-01-13} } Sality: 2003 - Today
Sality
2011-07SymantecNicolas Falliere
@techreport{falliere:201107:sality:85158ba, author = {Nicolas Falliere}, title = {{Sality: Story of a Peerto-Peer Viral Network}}, date = {2011-07}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf}, language = {English}, urldate = {2019-11-28} } Sality: Story of a Peerto-Peer Viral Network
Sality
Yara Rules
[TLP:WHITE] win_sality_auto (20230125 | Detects win.sality.)
rule win_sality_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.sality."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a40 8d85f0fdffff 50 8d8dfcfeffff }
            // n = 4, score = 400
            //   6a40                 | push                0x40
            //   8d85f0fdffff         | lea                 eax, [ebp - 0x210]
            //   50                   | push                eax
            //   8d8dfcfeffff         | lea                 ecx, [ebp - 0x104]

        $sequence_1 = { 6a40 6a00 8d4db0 51 e8???????? 83c40c 8be5 }
            // n = 7, score = 400
            //   6a40                 | push                0x40
            //   6a00                 | push                0
            //   8d4db0               | lea                 ecx, [ebp - 0x50]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8be5                 | mov                 esp, ebp

        $sequence_2 = { 81e6ffff0000 e8???????? 25ffff0000 c1e010 0bc6 5e }
            // n = 6, score = 400
            //   81e6ffff0000         | and                 esi, 0xffff
            //   e8????????           |                     
            //   25ffff0000           | and                 eax, 0xffff
            //   c1e010               | shl                 eax, 0x10
            //   0bc6                 | or                  eax, esi
            //   5e                   | pop                 esi

        $sequence_3 = { 51 ff15???????? ba01000000 85d2 742e }
            // n = 5, score = 400
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   ba01000000           | mov                 edx, 1
            //   85d2                 | test                edx, edx
            //   742e                 | je                  0x30

        $sequence_4 = { 51 ff15???????? c6850cebffff00 68???????? }
            // n = 4, score = 400
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   c6850cebffff00       | mov                 byte ptr [ebp - 0x14f4], 0
            //   68????????           |                     

        $sequence_5 = { 51 ff15???????? a3???????? 833d????????00 7505 }
            // n = 5, score = 400
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   a3????????           |                     
            //   833d????????00       |                     
            //   7505                 | jne                 7

        $sequence_6 = { 6a3f 8b4dd0 51 6a00 6a05 e8???????? 83c41c }
            // n = 7, score = 400
            //   6a3f                 | push                0x3f
            //   8b4dd0               | mov                 ecx, dword ptr [ebp - 0x30]
            //   51                   | push                ecx
            //   6a00                 | push                0
            //   6a05                 | push                5
            //   e8????????           |                     
            //   83c41c               | add                 esp, 0x1c

        $sequence_7 = { 81e6ffff0000 e8???????? 25ffff0000 99 b90f000000 f7f9 8bca }
            // n = 7, score = 400
            //   81e6ffff0000         | and                 esi, 0xffff
            //   e8????????           |                     
            //   25ffff0000           | and                 eax, 0xffff
            //   99                   | cdq                 
            //   b90f000000           | mov                 ecx, 0xf
            //   f7f9                 | idiv                ecx
            //   8bca                 | mov                 ecx, edx

        $sequence_8 = { 037c240c 8b742410 51 f3a6 }
            // n = 4, score = 200
            //   037c240c             | add                 edi, dword ptr [esp + 0xc]
            //   8b742410             | mov                 esi, dword ptr [esp + 0x10]
            //   51                   | push                ecx
            //   f3a6                 | repe cmpsb          byte ptr [esi], byte ptr es:[edi]

        $sequence_9 = { 73ec 8b450c c9 c20800 fc }
            // n = 5, score = 200
            //   73ec                 | jae                 0xffffffee
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   c9                   | leave               
            //   c20800               | ret                 8
            //   fc                   | cld                 

        $sequence_10 = { 2b4c2410 8b5678 0354240c 8b5a20 035c240c }
            // n = 5, score = 200
            //   2b4c2410             | sub                 ecx, dword ptr [esp + 0x10]
            //   8b5678               | mov                 edx, dword ptr [esi + 0x78]
            //   0354240c             | add                 edx, dword ptr [esp + 0xc]
            //   8b5a20               | mov                 ebx, dword ptr [edx + 0x20]
            //   035c240c             | add                 ebx, dword ptr [esp + 0xc]

        $sequence_11 = { f7e3 0344240c 03c7 8b00 }
            // n = 4, score = 200
            //   f7e3                 | mul                 ebx
            //   0344240c             | add                 eax, dword ptr [esp + 0xc]
            //   03c7                 | add                 eax, edi
            //   8b00                 | mov                 eax, dword ptr [eax]

        $sequence_12 = { 83c404 c20800 c8000000 8b4510 }
            // n = 4, score = 200
            //   83c404               | add                 esp, 4
            //   c20800               | ret                 8
            //   c8000000             | enter               0, 0
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_13 = { ff95c5144000 8bc8 f3a6 61 }
            // n = 4, score = 200
            //   ff95c5144000         | call                dword ptr [ebp + 0x4014c5]
            //   8bc8                 | mov                 ecx, eax
            //   f3a6                 | repe cmpsb          byte ptr [esi], byte ptr es:[edi]
            //   61                   | popal               

        $sequence_14 = { 7461 8bc8 48 c6857b27400000 8d8527164000 }
            // n = 5, score = 200
            //   7461                 | je                  0x63
            //   8bc8                 | mov                 ecx, eax
            //   48                   | dec                 eax
            //   c6857b27400000       | mov                 byte ptr [ebp + 0x40277b], 0
            //   8d8527164000         | lea                 eax, [ebp + 0x401627]

        $sequence_15 = { eb35 8b7224 0374240c 52 bb02000000 }
            // n = 5, score = 200
            //   eb35                 | jmp                 0x37
            //   8b7224               | mov                 esi, dword ptr [edx + 0x24]
            //   0374240c             | add                 esi, dword ptr [esp + 0xc]
            //   52                   | push                edx
            //   bb02000000           | mov                 ebx, 2

        $sequence_16 = { 43 8a10 8b4d08 88140b 40 ebca }
            // n = 6, score = 100
            //   43                   | inc                 ebx
            //   8a10                 | mov                 dl, byte ptr [eax]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   88140b               | mov                 byte ptr [ebx + ecx], dl
            //   40                   | inc                 eax
            //   ebca                 | jmp                 0xffffffcc

        $sequence_17 = { 898138010000 8b0d???????? b8???????? 89813c010000 8b0d???????? b8???????? }
            // n = 6, score = 100
            //   898138010000         | mov                 dword ptr [ecx + 0x138], eax
            //   8b0d????????         |                     
            //   b8????????           |                     
            //   89813c010000         | mov                 dword ptr [ecx + 0x13c], eax
            //   8b0d????????         |                     
            //   b8????????           |                     

        $sequence_18 = { 8d45e8 50 e8???????? 68???????? e8???????? 8d45e8 }
            // n = 6, score = 100
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   e8????????           |                     
            //   68????????           |                     
            //   e8????????           |                     
            //   8d45e8               | lea                 eax, [ebp - 0x18]

        $sequence_19 = { a1???????? 0bc0 7f30 b900020000 890d???????? c1e102 }
            // n = 6, score = 100
            //   a1????????           |                     
            //   0bc0                 | or                  eax, eax
            //   7f30                 | jg                  0x32
            //   b900020000           | mov                 ecx, 0x200
            //   890d????????         |                     
            //   c1e102               | shl                 ecx, 2

        $sequence_20 = { 50 ff7205 e8???????? 83c209 ebdc 5a }
            // n = 6, score = 100
            //   50                   | push                eax
            //   ff7205               | push                dword ptr [edx + 5]
            //   e8????????           |                     
            //   83c209               | add                 edx, 9
            //   ebdc                 | jmp                 0xffffffde
            //   5a                   | pop                 edx

        $sequence_21 = { 83e73e 8b450c 8bb015010000 81e600ff0000 }
            // n = 4, score = 100
            //   83e73e               | and                 edi, 0x3e
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8bb015010000         | mov                 esi, dword ptr [eax + 0x115]
            //   81e600ff0000         | and                 esi, 0xff00

        $sequence_22 = { 50 e8???????? 3c52 753e 8b4d08 }
            // n = 5, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   3c52                 | cmp                 al, 0x52
            //   753e                 | jne                 0x40
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_23 = { 85c0 7407 e8???????? eb0c c74704b3d75aa5 8937 }
            // n = 6, score = 100
            //   85c0                 | test                eax, eax
            //   7407                 | je                  9
            //   e8????????           |                     
            //   eb0c                 | jmp                 0xe
            //   c74704b3d75aa5       | mov                 dword ptr [edi + 4], 0xa55ad7b3
            //   8937                 | mov                 dword ptr [edi], esi

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules