SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sality (Back to overview)

Sality

Actor(s): Salty Spider

VTCollection    

F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.

Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.

Infection
Sality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.

Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.

Payload
Once installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.

References
2022-07-14DragosSam Hanson
The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
Sality
2022-04-20CISAAustralian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), CISA, FBI, Government Communications Security Bureau, National Crime Agency (NCA), NCSC UK, NSA
AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2021-10-27MandiantCorey Hildebrandt, Daniel Kapellmann Zafra, Ken Proska, Nathan Brubaker
Portable Executable File Infecting Malware Is Increasingly Found in OT Networks
CCleaner Backdoor Floxif neshta Ramnit Sality Virut
2020-05-24Palo Alto Networks Unit 42Ajaya Neupane, Stefan Achleitner
Using AI to Detect Malicious C2 Traffic
Emotet Sality
2017-10-29quangnh89
Sality Configuration Extractor (sality_extractor.py)
Sality
2017-05-03IEEEAlok Tongaonkar, Gaspar Modelo-Howard, Lorenzo De Carli, Ruben Torres, Somesh Jha
Botnet Protocol Inference in the Presence of Encrypted Traffic
Ramnit Sality ZeroAccess
2015-12-02BotconfPeter Kleissner
Sality: 2003 - Today
Sality
2011-07-01SymantecNicolas Falliere
Sality: Story of a Peerto-Peer Viral Network
Sality
Yara Rules
[TLP:WHITE] win_sality_auto (20260504 | Detects win.sality.)
rule win_sality_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.sality."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7206 837d087e 7612 817d08c8000000 721d 817d08d5000000 7714 }
            // n = 7, score = 400
            //   7206                 | jb                  8
            //   837d087e             | cmp                 dword ptr [ebp + 8], 0x7e
            //   7612                 | jbe                 0x14
            //   817d08c8000000       | cmp                 dword ptr [ebp + 8], 0xc8
            //   721d                 | jb                  0x1f
            //   817d08d5000000       | cmp                 dword ptr [ebp + 8], 0xd5
            //   7714                 | ja                  0x16

        $sequence_1 = { 721b 817d08d5000000 7712 8b4510 }
            // n = 4, score = 400
            //   721b                 | jb                  0x1d
            //   817d08d5000000       | cmp                 dword ptr [ebp + 8], 0xd5
            //   7712                 | ja                  0x14
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_2 = { 7207 b801040000 eb54 8b55fc 2b55f4 8b450c 8910 }
            // n = 7, score = 400
            //   7207                 | jb                  9
            //   b801040000           | mov                 eax, 0x401
            //   eb54                 | jmp                 0x56
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   2b55f4               | sub                 edx, dword ptr [ebp - 0xc]
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8910                 | mov                 dword ptr [eax], edx

        $sequence_3 = { 0f8411010000 8b55dc 33c0 668b4212 }
            // n = 4, score = 400
            //   0f8411010000         | je                  0x117
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   33c0                 | xor                 eax, eax
            //   668b4212             | mov                 ax, word ptr [edx + 0x12]

        $sequence_4 = { 52 68ff011f00 8d45f4 50 }
            // n = 4, score = 400
            //   52                   | push                edx
            //   68ff011f00           | push                0x1f01ff
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax

        $sequence_5 = { 52 68a3000000 e8???????? 83c414 8b4dfc }
            // n = 5, score = 400
            //   52                   | push                edx
            //   68a3000000           | push                0xa3
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_6 = { 0f8410020000 c785ccfdffff28010000 b949000000 33c0 }
            // n = 4, score = 400
            //   0f8410020000         | je                  0x216
            //   c785ccfdffff28010000     | mov    dword ptr [ebp - 0x234], 0x128
            //   b949000000           | mov                 ecx, 0x49
            //   33c0                 | xor                 eax, eax

        $sequence_7 = { 0f8410010000 e8???????? 25ffff0000 99 b967000000 }
            // n = 5, score = 400
            //   0f8410010000         | je                  0x116
            //   e8????????           |                     
            //   25ffff0000           | and                 eax, 0xffff
            //   99                   | cdq                 
            //   b967000000           | mov                 ecx, 0x67

        $sequence_8 = { 85c0 74f6 c3 8bf7 }
            // n = 4, score = 200
            //   85c0                 | test                eax, eax
            //   74f6                 | je                  0xfffffff8
            //   c3                   | ret                 
            //   8bf7                 | mov                 esi, edi

        $sequence_9 = { c8000000 8b4510 ff35???????? 8f80b8000000 ff35???????? 8f80c4000000 }
            // n = 6, score = 200
            //   c8000000             | enter               0, 0
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   ff35????????         |                     
            //   8f80b8000000         | pop                 dword ptr [eax + 0xb8]
            //   ff35????????         |                     
            //   8f80c4000000         | pop                 dword ptr [eax + 0xc4]

        $sequence_10 = { 50 6a00 ff951a154000 85c0 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   6a00                 | push                0
            //   ff951a154000         | call                dword ptr [ebp + 0x40151a]
            //   85c0                 | test                eax, eax

        $sequence_11 = { 8bf8 50 ff95c5144000 8bc8 f3a6 }
            // n = 5, score = 200
            //   8bf8                 | mov                 edi, eax
            //   50                   | push                eax
            //   ff95c5144000         | call                dword ptr [ebp + 0x4014c5]
            //   8bc8                 | mov                 ecx, eax
            //   f3a6                 | repe cmpsb          byte ptr [esi], byte ptr es:[edi]

        $sequence_12 = { 6a01 6a00 6a00 8d9578274000 }
            // n = 4, score = 200
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   8d9578274000         | lea                 edx, [ebp + 0x402778]

        $sequence_13 = { 83c404 eb0a 59 83c304 40 3b4218 }
            // n = 6, score = 200
            //   83c404               | add                 esp, 4
            //   eb0a                 | jmp                 0xc
            //   59                   | pop                 ecx
            //   83c304               | add                 ebx, 4
            //   40                   | inc                 eax
            //   3b4218               | cmp                 eax, dword ptr [edx + 0x18]

        $sequence_14 = { ffb554134000 33c0 64ff30 8d8586134000 8920 896804 8d9dba114000 }
            // n = 7, score = 200
            //   ffb554134000         | push                dword ptr [ebp + 0x401354]
            //   33c0                 | xor                 eax, eax
            //   64ff30               | push                dword ptr fs:[eax]
            //   8d8586134000         | lea                 eax, [ebp + 0x401386]
            //   8920                 | mov                 dword ptr [eax], esp
            //   896804               | mov                 dword ptr [eax + 4], ebp
            //   8d9dba114000         | lea                 ebx, [ebp + 0x4011ba]

        $sequence_15 = { 81feffff0000 7278 fc 8dbd3d154000 }
            // n = 4, score = 200
            //   81feffff0000         | cmp                 esi, 0xffff
            //   7278                 | jb                  0x7a
            //   fc                   | cld                 
            //   8dbd3d154000         | lea                 edi, [ebp + 0x40153d]

        $sequence_16 = { 807dc300 7506 ff05???????? 6810270000 e8???????? 33c0 }
            // n = 6, score = 100
            //   807dc300             | cmp                 byte ptr [ebp - 0x3d], 0
            //   7506                 | jne                 8
            //   ff05????????         |                     
            //   6810270000           | push                0x2710
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax

        $sequence_17 = { 83e600 66c704753a1742000100 8bc6 0573020000 }
            // n = 4, score = 100
            //   83e600               | and                 esi, 0
            //   66c704753a1742000100     | mov    word ptr [esi*2 + 0x42173a], 1
            //   8bc6                 | mov                 eax, esi
            //   0573020000           | add                 eax, 0x273

        $sequence_18 = { e8???????? 46 83fe5b 7edd 5e }
            // n = 5, score = 100
            //   e8????????           |                     
            //   46                   | inc                 esi
            //   83fe5b               | cmp                 esi, 0x5b
            //   7edd                 | jle                 0xffffffdf
            //   5e                   | pop                 esi

        $sequence_19 = { 50 ff35???????? 68ff000000 e8???????? }
            // n = 4, score = 100
            //   50                   | push                eax
            //   ff35????????         |                     
            //   68ff000000           | push                0xff
            //   e8????????           |                     

        $sequence_20 = { 0fb6db 8b45f0 f7ef 33d8 881c37 47 }
            // n = 6, score = 100
            //   0fb6db               | movzx               ebx, bl
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   f7ef                 | imul                edi
            //   33d8                 | xor                 ebx, eax
            //   881c37               | mov                 byte ptr [edi + esi], bl
            //   47                   | inc                 edi

        $sequence_21 = { 8bec 81ec00020000 50 837d0801 7d07 }
            // n = 5, score = 100
            //   8bec                 | mov                 ebp, esp
            //   81ec00020000         | sub                 esp, 0x200
            //   50                   | push                eax
            //   837d0801             | cmp                 dword ptr [ebp + 8], 1
            //   7d07                 | jge                 9

        $sequence_22 = { 68???????? a1???????? ffb09c000000 e8???????? }
            // n = 4, score = 100
            //   68????????           |                     
            //   a1????????           |                     
            //   ffb09c000000         | push                dword ptr [eax + 0x9c]
            //   e8????????           |                     

        $sequence_23 = { f7d1 49 7432 8bd1 }
            // n = 4, score = 100
            //   f7d1                 | not                 ecx
            //   49                   | dec                 ecx
            //   7432                 | je                  0x34
            //   8bd1                 | mov                 edx, ecx

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules