Cylance vs. Sality Malware

Sality has terrorized computer users since 2003, a year when personal digital assistants (PDAs) made tech headlines and office PCs ran Windows XP. Over the intervening years users traded their PDAs for smartphones and desktops migrated to newer operating systems and digital workplace solutions. Sality, however, survived the breakneck pace of technological innovation and continues to threaten organizations today. 

The Sality virus infects local executables, removable storage, and remotely shared drives. It creates a peer-to-peer botnet which facilitates the downloading and execution of other malware. Sality can perform malicious code injection and modify its entry point to force code execution. This malware remains viable by adopting the successful strategies of other threats, implementing techniques like rootkit/backdoor capability, keylogging, and worm-like propagation.

Our analysis begins with a screenshot of a Windows Defender Service file infected with malicious code. Notice the malicious code injected in the last section of this file (Figure 1):

Figure 1: The last line shows the read/write executable

Sality creates three copies of itself. The first copy is saved in the %AppData%localtemp folder (Figure 2) and injected into the explorer process (Figure 3):

Figure 2: The first Sality copy is saved in the %temp% folder with the name xelag.exe

Figure 3: The malicious process (xelag.exe) is injected into the explorer process

The second copy of this malware is saved in the folder %AppData%localtemp%random_folder_name% with the name WinDefender.exe (Figure 4):

Figure 4: A second copy of Sality, named WinDefender.exe

The third Sality copy is saved in the virtual memory of a remote process at %APPDATA%MicrosoftWindowsStart MenuProgramsStartupDownload_Manager.exe (Figure 5):

Figure 5: A third copy of Sality saved with the name Dawnload_Manager.exe

Sality achieves persistence by modifying the system registry (Figure 6):

Figure 6: Sality persistence written into the system registry

The virus (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Blog. Read the original post at: