Details and Precautions to be taken to countermeasure Sality

Details and Precautions to be taken to countermeasure Sality

Postby Prasad » December 26th, 2012, 6:21 pm

About Sality Malware:
Sality is the classification for a family of malicous software (malware), which infects files on Microsoft Windows systems. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web.

Sality is a family of polymorphic file infectors that target Windows executable files with the extensions .SCR or .EXE. They may execute a damaging payload that deletes files with certain extensions and terminates security-related processes and services.

This malware is infecting Microsoft Windows operating system and may communicate over peer-to-peer (P2P) network for Spam relay, Proxy, stealing information/data such as documents, email ids & passwords etc, Install trojan backdoor, Install key logger, Compromising web servers, Coordinating distributed computing tasks (e.g. password cracking) etc.

Symptom:
1. As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality variants usually attempt to delete files related to antivirus updates, such as those with the following file extensions:
i. .AVC
ii. .KEY
iii. .VDB
2. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems.
3. Some Win32/Sality variants can steal cached passwords and log keystrokes entered on the affected computer.
4. Infected files may unexpectedly increase in size
5. Antivirus and firewall applications may fail to function
6. Windows Task Manager and Windows Registry Editor may be disabled.
7. There is encrypted UDP traffic originating from unexpected applications
8. The Sality virus joins infected machines to its own P2P network. Updates to the malware are fed via decentralized lists of HTTP URLs.
9. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

Countermeasures and removal tools:
The following steps may help prevent infection:
1. Enable a firewall on your computer
2. Get the latest computer updates for all your installed software
3. Avoid downloading untrustworthy executables
4. Use up-to-date antivirus software
5. Limit user privileges on the computer
6. Use caution when opening attachments and accepting file transfers
7. Use caution when clicking on links to web pages
8. Avoid downloading pirated software
9. Protect yourself against social engineering attacks

Removal Tools:
For cleaning Sality-p2p infected systems you are advised to clean their systems with the following removal tools:
http://www.f-secure.com/en/web/labs_glo ... oval-tools
http://support.kaspersky.com/1874
http://free.avg.com/us-en/remove-sality
http://security.symantec.com/nbrt/npe.aspx?lcid=1033
http://www.microsoft.com/security/porta ... s/ADL.aspx

Reference from:
>Wiki
>CERT
>http://antivirus.about.com/od/virusdescriptions/p/sality.htm
>www.microsoft.com
Regards,
Prasad Bhatte
Prasad
 
Posts: 28
Joined: November 16th, 2012, 3:57 pm
Location: Mumbai

Return to Security Alert

Who is online

Users browsing this forum: No registered users and 1 guest