Win32/Sality network activity
Arkady Kovtun CA - HCL
Since 2003 anti-virus companies have been detecting a Sality polymorphic virus,
but recently there has been a developing trend in Sality variants. They infect
executables in the OS, create a network of compromised systems, disable most
popular security solutions and leave an infected machine without a chance to
return to its regular activity. The Sality variants are used to open up a channel through which private information
can be stolen, including the OS version, IPs, computer
name, passwords and ISP dial up connections. They also provide an attacker with the
opportunity to achieve unauthorized access to infected machines. As a result,
if a bunch of infected machines exists, Sality variants will continue with
further malicious activities, such as the launch of distributed attacks, spam and
further malware spreading in order to expand their attack and increase the
attacker's power. This paper will characterize Sality activity and
explain how this network occurs and which worms download the Sality
variants.
This paper will also present information about the Sality backdoor,
rootkit, trojan functionality and ways in which attackers make a profit from the
Sality variants.
