SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sality (Back to overview)

Sality

Actor(s): Salty Spider


F-Secure states that the Sality virus family has been circulating in the wild as early as 2003. Over the years, the malware has been developed and improved with the addition of new features, such as rootkit or backdoor functionality, and so on, keeping it an active and relevant threat despite the relative age of the malware.

Modern Sality variants also have the ability to communicate over a peer-to-peer (P2P) network, allowing an attacker to control a botnet of Sality-infected machines. The combined resources of the Sality botnet may also be used by its controller(s) to perform other malicious actions, such as attacking routers.

Infection
Sality viruses typically infect executable files on local, shared and removable drives. In earlier variants, the Sality virus simply added its own malicious code to the end of the infected (or host) file, a technique known as prepending. The viral code that Sality inserts is polymorphic, a form of complex code that is intended to make analysis more difficult.

Earlier Sality variants were regarded as technically sophisticated in that they use an Entry Point Obscuration (EPO) technique to hide their presence on the system. This technique means that the virus inserts a command somewhere in the middle of an infected file's code, so that when the system is reading the file to execute it and comes to the command, it forces the system to 'jump' to the malware's code and execute that instead. This technique was used to make discovery and disinfection of the malicious code harder.

Payload
Once installed on the computer system, Sality viruses usually also execute a malicious payload. The specific actions performed depend on the specific variant in question, but generally Sality viruses will attempt to terminate processes, particularly those related to security programs. The virus may also attempt to open connections to remote sites, download and run additional malicious files, and steal data from the infected machine.

References
2022-07-14DragosSam Hanson
@online{hanson:20220714:trojan:831b636, author = {Sam Hanson}, title = {{The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators}}, date = {2022-07-14}, organization = {Dragos}, url = {https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/}, language = {English}, urldate = {2022-07-18} } The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
Sality
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2021-10-27MandiantKen Proska, Corey Hildebrandt, Daniel Kapellmann Zafra, Nathan Brubaker
@online{proska:20211027:portable:437b9c1, author = {Ken Proska and Corey Hildebrandt and Daniel Kapellmann Zafra and Nathan Brubaker}, title = {{Portable Executable File Infecting Malware Is Increasingly Found in OT Networks}}, date = {2021-10-27}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/pe-file-infecting-malware-ot}, language = {English}, urldate = {2021-11-08} } Portable Executable File Infecting Malware Is Increasingly Found in OT Networks
CCleaner Backdoor Floxif neshta Ramnit Sality Virut
2020-05-24Palo Alto Networks Unit 42Ajaya Neupane, Stefan Achleitner
@online{neupane:20200524:using:2f77c1c, author = {Ajaya Neupane and Stefan Achleitner}, title = {{Using AI to Detect Malicious C2 Traffic}}, date = {2020-05-24}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/c2-traffic/}, language = {English}, urldate = {2021-06-09} } Using AI to Detect Malicious C2 Traffic
Emotet Sality
2017-10-29quangnh89
@online{quangnh89:20171029:sality:c8a91cd, author = {quangnh89}, title = {{Sality Configuration Extractor (sality_extractor.py)}}, date = {2017-10-29}, url = {https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py}, language = {Python}, urldate = {2021-05-08} } Sality Configuration Extractor (sality_extractor.py)
Sality
2017-05IEEELorenzo De Carli, Ruben Torres, Gaspar Modelo-Howard, Alok Tongaonkar, Somesh Jha
@online{carli:201705:botnet:18f6b9a, author = {Lorenzo De Carli and Ruben Torres and Gaspar Modelo-Howard and Alok Tongaonkar and Somesh Jha}, title = {{Botnet Protocol Inference in the Presence of Encrypted Traffic}}, date = {2017-05}, organization = {IEEE}, url = {https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail}, language = {English}, urldate = {2021-10-11} } Botnet Protocol Inference in the Presence of Encrypted Traffic
Ramnit Sality ZeroAccess
2015-12-02BotconfPeter Kleissner
@techreport{kleissner:20151202:sality:791ea01, author = {Peter Kleissner}, title = {{Sality: 2003 - Today}}, date = {2015-12-02}, institution = {Botconf}, url = {https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf}, language = {English}, urldate = {2020-01-13} } Sality: 2003 - Today
Sality
2011-07SymantecNicolas Falliere
@techreport{falliere:201107:sality:85158ba, author = {Nicolas Falliere}, title = {{Sality: Story of a Peerto-Peer Viral Network}}, date = {2011-07}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf}, language = {English}, urldate = {2019-11-28} } Sality: Story of a Peerto-Peer Viral Network
Sality
Yara Rules
[TLP:WHITE] win_sality_auto (20220808 | Detects win.sality.)
rule win_sality_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.sality."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sality"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0311 52 6878563412 e8???????? }
            // n = 4, score = 400
            //   0311                 | add                 edx, dword ptr [ecx]
            //   52                   | push                edx
            //   6878563412           | push                0x12345678
            //   e8????????           |                     

        $sequence_1 = { 0255fc 8855ec 8b45ec 25ff000000 }
            // n = 4, score = 400
            //   0255fc               | add                 dl, byte ptr [ebp - 4]
            //   8855ec               | mov                 byte ptr [ebp - 0x14], dl
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   25ff000000           | and                 eax, 0xff

        $sequence_2 = { 33c0 eb63 8b45fc 8b4d08 03483c }
            // n = 5, score = 400
            //   33c0                 | xor                 eax, eax
            //   eb63                 | jmp                 0x65
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   03483c               | add                 ecx, dword ptr [eax + 0x3c]

        $sequence_3 = { 0302 50 6a00 e8???????? }
            // n = 4, score = 400
            //   0302                 | add                 eax, dword ptr [edx]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_4 = { 0302 8945fc 8b4d10 8b55fc }
            // n = 4, score = 400
            //   0302                 | add                 eax, dword ptr [edx]
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]

        $sequence_5 = { 0302 50 6878563412 e8???????? }
            // n = 4, score = 400
            //   0302                 | add                 eax, dword ptr [edx]
            //   50                   | push                eax
            //   6878563412           | push                0x12345678
            //   e8????????           |                     

        $sequence_6 = { 02c8 884dec 8b55f0 83c201 }
            // n = 4, score = 400
            //   02c8                 | add                 cl, al
            //   884dec               | mov                 byte ptr [ebp - 0x14], cl
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   83c201               | add                 edx, 1

        $sequence_7 = { 02040a 8845fc 8b4dfc 81e1ff000000 }
            // n = 4, score = 400
            //   02040a               | add                 al, byte ptr [edx + ecx]
            //   8845fc               | mov                 byte ptr [ebp - 4], al
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   81e1ff000000         | and                 ecx, 0xff

        $sequence_8 = { 8bcf 2b4c2410 8b5678 0354240c 8b5a20 }
            // n = 5, score = 200
            //   8bcf                 | mov                 ecx, edi
            //   2b4c2410             | sub                 ecx, dword ptr [esp + 0x10]
            //   8b5678               | mov                 edx, dword ptr [esi + 0x78]
            //   0354240c             | add                 edx, dword ptr [esp + 0xc]
            //   8b5a20               | mov                 ebx, dword ptr [edx + 0x20]

        $sequence_9 = { 6a00 6a00 50 ff954d144000 8d9533164000 52 50 }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   50                   | push                eax
            //   ff954d144000         | call                dword ptr [ebp + 0x40144d]
            //   8d9533164000         | lea                 edx, [ebp + 0x401633]
            //   52                   | push                edx
            //   50                   | push                eax

        $sequence_10 = { 8d9dba114000 895808 646789260000 8b74240c 66813e4d5a 0f858c000000 03763c }
            // n = 7, score = 200
            //   8d9dba114000         | lea                 ebx, [ebp + 0x4011ba]
            //   895808               | mov                 dword ptr [eax + 8], ebx
            //   646789260000         | mov                 dword ptr fs:[0], esp
            //   8b74240c             | mov                 esi, dword ptr [esp + 0xc]
            //   66813e4d5a           | cmp                 word ptr [esi], 0x5a4d
            //   0f858c000000         | jne                 0x92
            //   03763c               | add                 esi, dword ptr [esi + 0x3c]

        $sequence_11 = { ff95bc154000 85c0 7403 eb0c 58 e8???????? b801000000 }
            // n = 7, score = 200
            //   ff95bc154000         | call                dword ptr [ebp + 0x4015bc]
            //   85c0                 | test                eax, eax
            //   7403                 | je                  5
            //   eb0c                 | jmp                 0xe
            //   58                   | pop                 eax
            //   e8????????           |                     
            //   b801000000           | mov                 eax, 1

        $sequence_12 = { 83c008 ebdb 8b8593234000 83f800 741e }
            // n = 5, score = 200
            //   83c008               | add                 eax, 8
            //   ebdb                 | jmp                 0xffffffdd
            //   8b8593234000         | mov                 eax, dword ptr [ebp + 0x402393]
            //   83f800               | cmp                 eax, 0
            //   741e                 | je                  0x20

        $sequence_13 = { 50 ff95e7144000 85c0 750b 68c0270900 ff9503154000 6a00 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff95e7144000         | call                dword ptr [ebp + 0x4014e7]
            //   85c0                 | test                eax, eax
            //   750b                 | jne                 0xd
            //   68c0270900           | push                0x927c0
            //   ff9503154000         | call                dword ptr [ebp + 0x401503]
            //   6a00                 | push                0

        $sequence_14 = { ff9539154000 58 6a00 6880000000 6a03 6a00 6a03 }
            // n = 7, score = 200
            //   ff9539154000         | call                dword ptr [ebp + 0x401539]
            //   58                   | pop                 eax
            //   6a00                 | push                0
            //   6880000000           | push                0x80
            //   6a03                 | push                3
            //   6a00                 | push                0
            //   6a03                 | push                3

        $sequence_15 = { 3b4218 75e2 3b4218 7502 }
            // n = 4, score = 200
            //   3b4218               | cmp                 eax, dword ptr [edx + 0x18]
            //   75e2                 | jne                 0xffffffe4
            //   3b4218               | cmp                 eax, dword ptr [edx + 0x18]
            //   7502                 | jne                 4

        $sequence_16 = { 0202 7466 0fb77202 8b7a04 }
            // n = 4, score = 100
            //   0202                 | add                 al, byte ptr [edx]
            //   7466                 | je                  0x68
            //   0fb77202             | movzx               esi, word ptr [edx + 2]
            //   8b7a04               | mov                 edi, dword ptr [edx + 4]

        $sequence_17 = { 0306 50 8b4e04 8d5608 }
            // n = 4, score = 100
            //   0306                 | add                 eax, dword ptr [esi]
            //   50                   | push                eax
            //   8b4e04               | mov                 ecx, dword ptr [esi + 4]
            //   8d5608               | lea                 edx, [esi + 8]

        $sequence_18 = { 014304 c3 53 56 }
            // n = 4, score = 100
            //   014304               | add                 dword ptr [ebx + 4], eax
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   56                   | push                esi

        $sequence_19 = { 0306 50 8d5604 e8???????? }
            // n = 4, score = 100
            //   0306                 | add                 eax, dword ptr [esi]
            //   50                   | push                eax
            //   8d5604               | lea                 edx, [esi + 4]
            //   e8????????           |                     

        $sequence_20 = { 0007 7307 c607ff 8ac1 }
            // n = 4, score = 100
            //   0007                 | add                 byte ptr [edi], al
            //   7307                 | jae                 9
            //   c607ff               | mov                 byte ptr [edi], 0xff
            //   8ac1                 | mov                 al, cl

        $sequence_21 = { 010d???????? 83c004 5f 5e }
            // n = 4, score = 100
            //   010d????????         |                     
            //   83c004               | add                 eax, 4
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_22 = { 00fb fb 804880bc 280d???????? }
            // n = 4, score = 100
            //   00fb                 | add                 bl, bh
            //   fb                   | sti                 
            //   804880bc             | or                  byte ptr [eax - 0x80], 0xbc
            //   280d????????         |                     

        $sequence_23 = { 031e ff7608 ff7604 e8???????? }
            // n = 4, score = 100
            //   031e                 | add                 ebx, dword ptr [esi]
            //   ff7608               | push                dword ptr [esi + 8]
            //   ff7604               | push                dword ptr [esi + 4]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1523712
}
Download all Yara Rules