31 Mar A new version of Sality at large Vyacheslav Zakorzhevsky
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Last Friday, Kaspersky Lab’s experts detected a new variant of Sality.aa, which is at present the most popular polymorphic virus. Sality.aa last mutated about a year ago, and the change was not too dramatic. However, within the last two years this virus has remained one of the TOP-5 malicious programs most often detected on users’ computers. Sality’s previous variants were not as popular. After Sality.aa, a new version called Sality.ae came out, which used the EPO infection technique. However, it failed to gain any ground with cybercriminals as it used a simple decrypting algorithm and an inefficient infection technique. All subsequent versions of the malicious program failed to win popularity as well due to their very simple decrypting algorithms.
The newly discovered variant was dubbed Sality.ag. Why so much interested in this one? It contains a fundamentally new decryption algorithm and a host of ‘advanced features’. As we see it, the new variant has every chance of replacing the older Sality.aa version and is likely to become very popular.
Due to its functional capabilities, this virus should be classified as a backdoor. Once within a system, the first thing that Sality.ag does is to install its DLL and a driver to filter the Internet traffic. The DLL is used to repel any types of security software and firewalls.
Below is a screenshot of the unpacked DLL. It contains lines which demonstrate the virus’ capability to resist security software: “avast! Self Protection”, “NOD32krn”, “Avira AntiVir Premium”, “DRWEBSCD” etc. Sality uses one of the simplest ways to shut off an antivirus: it attempts to close all windows and terminate all processes with names associated with security products.