Malware starts kicking it old school - Sality returns

by Steve Ragan - Feb 20 2009, 17:16

Researchers from PandaLabs have started seeing a resurgence of computers infected with variants of the Sality family of Malware. However, this old school family for malicious software is adding in some of the new school type of malicious activity.

Sality is a common form of Malware; every vendor has a signature for it. However, the new variants of Sality seen by Panda are using techniques that have not been seen in years the company says. These new variants are using EPO and Cavity, for example, which shows obvious care in the creation of the malicious code. Using techniques such as EPO or Cavity require more skill when in the development stage, something that isn’t seen in the common Malware tools on the Web today.

EPO (Entry Point Obscuring) is a method for infecting programs through which Malware will attempt to hide its entry point. This is done in order to avoid detection. What happens is that Malware written using this method will often come attached in a file or program, EPO will allow the program to run with no noticeable infection for a set length of time before it starts to act malicious.

Cavity is a technique, explained by Panda, that is used by certain types of Malware to make them more difficult to find. By using this technique, the size of the infected file doesn’t change, as the Malware only occupies cavities in the file affected.

In addition to techniques known in traditional Malware, infecting files, Spamming, automatic distribution, etc., as seen in early Sality variants, the new wave of Sality infections are adding a series of features associated with new malicious schemes 

The first feature is its ability to connect to IRC channels to receive remote commands, turning the infected system into a bot. The second new feature is that infections are not just restricted to files, but also look to propagate across the Internet. To this end, Panda has seen the new Sality use iFrames to infect PHP, ASP, and .HTML files on the computer.

The result is that when any of these files are run, the browser is redirected, without the user’s knowledge, to a malicious page that launches an exploit against a computer in order to download more Malware.

What’s more, if any of the infected files are posted online, any user downloading the files or visiting the site will become infected. The file downloaded through this technique is what PandaLabs refers to as hybrid Malware, as it combines the functions of several types of Malware. In this case, it is a Trojan and a traditional Virus.

The Trojan, in addition, has features for downloading other strains of Malware to the computer. The URLs used by this downloader were still not operative at the time of the PandaLabs analysis, but Panda said they expect that they could go active as the number of infected computers increases.

The protection from this new variant is the same as any other form of Malware. Use layered security software, such as AV protection and Spyware protection, patch your systems with all the latest operating system updates and software updates, avoid sites from Spam and other unsolicited email, and use a little caution when downloading files online.

More information is here.

The Tech Herald: Teens busted for hacking – Script kiddie tools make things too easy

The Tech Herald: Malware authors develop QA tools

The Tech Herald: Security On Assignment: Security Blogger Summit

Around the Web