Sality.AO, a virus that takes us back to the future

Sality.AO is a virus that combines the features of traditional viruses (infecting files and damaging as many computers as possible to achieve notoriety for creators) with the objectives of new malware, i.e. generating financial returns for cyber-criminals. PandaLabs, Panda Security’s malware detection and analysis laboratory, has noted an increase in the number of infections caused by this malware over recent days, as well as new variants using the same techniques. It is therefore advising users to be on their guard against a possible massive attack.

Sality.AO uses some techniques which haven’t been seen for years, such as EPO or Cavity. These techniques relate to the way in which the original file is modified in order to infect it, making it more difficult to detect these changes and to disinfect it. EPO allows part of a legitimate file to be run before infection starts, making it difficult to detect the malware. Cavity involves inserting the virus code in blank spaces within the legitimate file’s code, making it both more difficult to locate and to disinfect infected files.

These techniques are far more complex than those that can be achieved with automatic malware creation tools, which have been responsible for much of the increase in the number of threats in circulation recently. They require much greater skill and knowledge of malicious code programming.

In addition to these techniques related with early malware, Sality.AO includes a series of features associated with new malware trends, such as the possibility to connect to IRC channels to receive remote commands, potentially turning the infected computer into a zombie. Such zombie computers can be used for sending spam, distributing malware, denial of service attacks, etc. Similarly, infections are not just restricted to files, as was the case with old viruses, but also look to propagate across the Internet, in line with new trends. To this end, it uses an iFrame to infect PHP, ASP and .HTML files on the computer. The result is that when any of these files are run the browser is redirected, without the user’s knowledge, to a malicious page that launches an exploit against a computer in order to download more malware. But that is not all. If any of the infected files are posted on a Web page –and bear in mind these file types are typically uploaded to the Web-, any users downloading the files or visiting the Web pages will become infected.

The file downloaded through this technique is what PandaLabs refers to as hybrid malware, as it combines the functions of Trojans and viruses. The Trojan, in addition, has downloader features for downloading other strains of malware to the computer. The URLs used by this downloader were still not operative at the time of the PandaLabs analysis, but they could become active as the number of infected computers increases, according to Panda Security’s laboratory.

“As we forecast in our annual report, the distribution of classic malicious code such as viruses will be a major trend in 2009. The use of increasingly sophisticated detection technologies like Panda Security’s Collective Intelligence, capable of detecting even low-level attacks and the newest malware techniques, will make cyber-crooks turn to old codes, adapted to new needs. This means they won't be viruses designed simply to spread or damage computers, as they were 10 years ago, but will be designed, such as in this case, to hide Trojans or turn computers into zombies”, warns Luis Corrons, Technical Director of PandaLabs.