New Sality variant contains moneymaking twist

Users should be cautious of a new virus variant that leverages the old technique of file infection with the modern-day desire for financial gain, security researchers have warned.

The virus, named Sality.AO, was first detected in early February, but PandaLabs on Wednesday issued an advisory warning users of the dangers of the malware because of a rise in the number of infected computers.

The virus is parasitic, meaning it tries to infect .exe and .scr files on a user's local network and on removable drives by overwriting code in the original file and saving the new code in the virus body, according to a McAfee description. Then, the virus is added to the host file.

Carlos Zevallos, Security Evangelist at Panda Security told SCMagazineUS.com in an email Thursday that around 15,000 computers have already been infected in 31 countries including, primarily, the U.S., Spain, Portugal, Brazil and Argentina.

“We have been helping two major companies who were not previous clients (one over 20,000 seats), remove Sality from their networks,” Zevallos said.

Panda Security's malware detection and analysis laboratory has noted an increase in the number of infections caused by this malware over recent days, as well as new variants using the same techniques. It is therefore advising users to be on their guard against a possible massive attack, Zevallos said.

Sality.AO combines an older virus feature -- the goal to infect as many files and users as possible to gain notoriety -- with the relatively newer goal of making money for the cybercriminals behind it, PandaLabs said in a blog on Tuesday.

To avoid detection, the virus uses two techniques that PandaLabs hasn't seen for a few years, called EPO and Cavity, PandaLabs technical director Luis Corrons wrote in the blog. Creating an exploit using these techniques is much more difficult than using automated malware creation tools, but the extra effort helps the virus evade  detection. Both of the tactics involve modifications to the original file used in the exploit.

The EPO technique allows part of a legitimate file to run before the virus starts, making it harder to detect, Corrons said. In the Cavity technique, the virus is inserted into blank spots of the original file's code, which makes it hard to locate and disinfect.

Researchers said the cybercriminals behind Sality.AO also incorporated some newer malware features, including the ability to connect to IRC channels to receive remote commands -- a feature that potentially turns infected computers into bots capable of launching distributed denial-of-service attacks, sending spam or distributing malware.

Also, the virus contains a feature that helps it propagate across the internet, Corrons said. It uses an IFRAME to infect PHP, ASP and HTML files on the computer so that when any of these files are run, the user's browser is redirected to a malicious page that launches an exploit to download more malware.

“These kind of infections require advanced skills on the part of the malware author,” Zevallos said. “It takes a long time to create such a complex piece of malware.”

PandaLabs is investigating the ultimate origin of this attack, finding that most of the URLs the virus communicates to are initially from Poland, so it is possible the creator is from the region. The true origin could be from any country though, because the servers could be bots themselves.

“We have not seen the malware code published on criminal sites, so at this time, we can speculate that the original authors are behind the subsequent variants we are tracking,” Zevallos said.

It is time-consuming for an antivirus to create disinfection routines for a complex malware, so malware authors are likely taking time to get maximum dispersal of the virus before it is ultimately detected by the major AV vendors.

As the virus changes the way it infects, it is extremely difficult to say if any one anti-virus vendor is detecting all types infected files. With that being said, as of Thursday, PandaLabs is seeing about a 50 percent detection rate from the major AV vendors, Zevallos said.

McAfee's description also includes the files and registry keys that are symptoms of the virus and a list of domains from which the virus downloads additional malware.

This article first appeared on SC Magazine's US website

Sign up to our newsletters