Fighting malware and spam

Win32/Sality network activity

Arkady Kovtun CA - HCL

Since 2003 anti-virus companies have been detecting a Sality polymorphic virus, but recently there has been a developing trend in Sality variants. They infect executables in the OS, create a network of compromised systems, disable most popular security solutions and leave an infected machine without a chance to return to its regular activity. The Sality variants are used to open up a channel through which private information can be stolen, including the OS version, IPs, computer name, passwords and ISP dial up connections. They also provide an attacker with the opportunity to achieve unauthorized access to infected machines. As a result, if a bunch of infected machines exists, Sality variants will continue with further malicious activities, such as the launch of distributed attacks, spam and further malware spreading in order to expand their attack and increase the attacker's power. This paper will characterize Sality activity and explain how this network occurs and which worms download the Sality variants.

This paper will also present information about the Sality backdoor, rootkit, trojan functionality and ways in which attackers make a profit from the Sality variants.