McAfee Labs Combating Threats - W32/Sality Virus

By Vivek G, McAfee Labs

Contents Overview............................................................................................................................. 3 Symptoms ........................................................................................................................... 3 Characteristics..................................................................................................................... 3 Common Registry changes done by sality........................................................................ 11 Fighting W32/Sality.......................................................................................................... 12 Common URL’s accessed by Sality. ................................................................................ 18

Finding W32/Sality

Overview W32/Sality is a parasitic virus which infects shared drives and Windows executable files by putting its code to host files. It contains downloader functionality to further install Trojan or key logger components. Sality opens a backdoor that allow the remote attacker to get the full control over the infected computer and in turn the confidential information, representing a serious security risk.

Aliases Kaspersky - Virus.Win32.Sality.aa Microsoft - Virus: Win32/sality.am Symantec - W32.Sality.AE Avast - Win32: Sality-g

Symptoms W32/Sality has the following symptoms: Modifies System.ini files (Check for the modified date) Services listening on the network port(s). Unexpected network trafic to one or more of the domain(s). No access to File Monitor. Disables Safe mode boot Disables regedit and taskmanager Disables Antivirus

Characteristics Upon execution, it starts a service to listen on a random UDP Port and create a copy of itself in the following path(s): %Windir%\System32\Drivers\{random}.sys

It may parasitically infect *.exe and *scr files on the local, network and removable drives except for files containing the following string(s) in the filename:

WINDOWS

SYSTEM

SYSTEM32

Can download further malware from the following domains (these are example domains and are not meant to be a comprehensive listing):

1. yimg.com Us.i1.yimg.com http:.//ad.yieldmanager.com mattfoll.eu.interia.pl bjerm.mass.hc.ru

It can also drop an Autorun.inf file to auto-execute itself

Once the sample is run, it immediately tries to hook to one of the random processes and connects to certain sites and downloads malware.

The screen shot above shows the virus connecting to the IP 89.111.173.114 on port 80 and establishing contact with a certain “http://bjerm.mass.hc.ru” to download the file “logoh.gif”

Below is a screen shot of sality hooking on to a certain “Notepad.exe”

One may notice that Notepad.exe is in the running processes even when it has never been opened by the user. If we kill this process, Sality hooks on to another process. A comparison between a clean and an infected notepad is given below : Clean Notepad:

A Sality-infected Notepad:

The utility shown here is MemoryViewer. This is a proprietary McAfee Labs tool. This tool shows running process addresses and modules.

One can very clearly notice the number of threads with open modules, indicating Sality infections. A closer look at memory address in the below mentioned screen shot reveals the reference to “logos.gif” being downloaded from the site “http://bjern.mass.hc.ru”

Sality uses Notepad.exe and Winmine.exe to inject into other Windows executables. Sality hooking on to Winmine is displayed below:

The number of open modules is clearly visible in the above picture.

Common Registry changes done by Sality HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr: 0x00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools This is to disable regedit and taskmanager.

In an attempt to make recovery difficult for the victim, registry keys in the following sub-tree are deleted and needs to be restored to the original configuration if needed by the user:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\*

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\*

Fighting W32/Sality Once active, Sality will spread at a very high rate. It is important to isolate hosts or segments so as to isolate the threat as much as possible. This can include Isolation of specific segments Physical disconnection from the network Prevention Configure VirusScan Enterprise properly, across the entire environment, in order to prevent the further spread of the threat. Proper configuration consists of:

1) On-Access Scanner Enabled and configured as follows Scan All Files Scan both Reads and Writes On-Access exclusions are at an absolute minimum (excluded

directories containing executable files will allow the virus to exist free of AV scanning)

Some other recommended steps include: Disabling of access to network shares. Make network shares read-only When access to network shares / locations is an absolute requirement

(login scripts, roaming profiles, etc) adequately secure these locations or take steps to isolate them from infected segments / hosts.

VirusScan Enterprise’s ‘Access Protection’ rules can be utilized as an effected safeguard against the spread of Sality. Some of the rules which apply are:

Prevent IRC Communication (Anti-Virus Standard Protection) Prevent creation of new executable files in the Windows folder

(Common Maximum Protection) Prevent all programs from running from the Temp folder (Anti-

Spyware Maximum Protection) Make all shares read-only (Anti-Virus Outbreak Control)

This hack will instruct Windows to treat autorun.inf files as if it was a pre Windows 95 application. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist" Copy these lines in a notepad and save it as a .REG file. Merge this file. This will instruct windows not to use values from the INF file, but to use values from HKLM\SOFTWARE\DoesNotExist and since this key does not exist so the INF file does not run. The only downside of this is that if you insert a CD with software on it, you have to explore it by hand to find the setup program. McAfee VirusScan 8.5i and 8.7i can be configured to protect its processes from being disabled from the malware threats by the Access Protection policy.

Ensure that Access Protection is enabled.

Ensure that the option to ‘Prevent McAfee Services from being stopped’ is enabled.

Enable McAfee-specific options in the ‘Common Standard Protection’ rule categories

Prevent modification of McAfee files and settings Prevent modification of McAfee Common Management Agent and

settings Prevent modification of McAfee Scan Engine files and settings

To assist with creating rules in the VirusScan console to protect your systems against autorun infections, here are three articles in our Knowledgebase:

How to use Access Protection policies in VirusScan 8.5i to prevent malware from changing folder options (KB53356)

How to use Access Protection policies in VirusScan 8.5i to protect against viruses that can disable Regedit (KB53346)

How to use Access Protection policies in VirusScan 8.5i to protect against viruses that can disable Task Manager (KB53355)

We tested a sample of sality with the above Access protections rules enabled. This sample tried to delete some Mcafee files and also tried to delete Mcshield service. Access protection rules prevented this from happening. A glimpse of the logs is given below. 3/23/2009 12:35:34 PM Blocked by Access Protection rule NAVEENVMXPP\NaveenC:\nuvpo.pifC:\PROGRAMFILES\MCAFEE\VIRUSSCAN ENTERPRISE\SHSTAT.EXE Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Delete 3/23/2009 12:35:35 PM Blocked by Access Protection rule NAVEENVMXPP\Naveen C:\nuvpo.pif C:\PROGRAM ILES\MCAFEE\COMMON FRAMEWORK\UDATERUI.EXE Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write Now we tested the same sample with Access protection disabled. What we found out was some McAfee related files and Mcshield service was deleted. OAS was permanently disabled on the machine. Error message while trying to open McAfee console…

Screen shot of services.msc with no McAfee service

Use the existing VirusScan 8.5i Access Protection Rules to stop autorun worms.

In the VirusScan console – Access Protection – category: Common Maximum Protection. Enable this rule to block: Prevent Programs registering to Autorun.

In the VirusScan console – Access Protection – category:

AntiVirus Standard Protection. Enable this rule to block: Prevent remote creation of Autorun files.

Cleaning / Repair A full On-Demand scan must be run to full clean an infected host. In some cases, it may also be necessary to run the On-Demand scan in Safe Mode, as well as run a second scan with a reboot in-between. It is also critical that the On-Demand scan be configured properly. The configuration required is as follows:

Scan All Local Drives Memory for Rootkits Running Processes Registry First ‘Action’ set to ‘Clean’

The full, recommended process is:

Launch a full ODS with the prior-documented configuration Allow the scan to run to completion Reboot Launch a second ODS and allow it to run to completion to verify that the

system has been cleaned.

Common URL’s accessed by Sality The following domains need to be blocked at the firewall.

hxxp://89.119.67.154 hxxp://kukutrustnet777.info hxxp://kukutrustnet888.info hxxp://kukutrustnet987.info

hxxp://www.kjwre9fqwieluoi.info hxxp://bpowqbvcfds677.info hxxp://bmakemegood24.com hxxp://bperfectchoice1.com hxxp://bcash-ddt.net hxxp://bddr-cash.net hxxp://btrn-cash.net hxxp://bmoney-frn.net hxxp://bclr-cash.net hxxp://bxxxl-cash.net hxxp://balsfhkewo7i487fksd.info hxxp://buynvf96.info 1.yimg.com Us.i1.yimg.com http:.//ad.yieldmanager.com mattfoll.eu.interia.pl bjerm.mass.hc.ru www.f5ds1jkkk4d.info www.g1ikdcvns3sdsal.info www.h7smcnrwlsdn34fgv.info www.inform1ongung.info www.kukutrustnet.org www.lukki6nd2kdnc.info

(Disclaimer: domains are based at the time of analysis. Customers should visit the Virus Information Library to get the most updated list)