Broken Sality keeps on giving

Since its initial appearance back in 2003 the Sality (aka KuKu) parasitic virus has come and gone from the radar as its authors continue to re-release updates but none has caused more interest than the W32/Sality-AM variant due to its propensity to damage files upon infection.

Upon analysis of the most recent samples it was evident that there is a major bug in the infection routine causing files to be incorrectly modified during infection. So called ‘broken infections’ have been observed in a number of states ranging from ‘viable infection, broken host’ to ‘broken infection, broken host’, but unfortunately as far as the customer is concerned they simply want the infection gone and their files fixed.

From a malware author’s perspective such bugs are a non-issue as long as the

virus replicates. However, for an anti-malware vendor this is much more of a problem, not only because disinfection (recovery of the host) may no longer be possible but because some infected files are so corrupt that they avoid detection.

Different anti-malware products use varied techniques to identify an infected file they may not all report broken samples as infectious. This is often difficult to explain to customers who run multiple anti-virus products, and although neither response is wrong, neither is entirely correct.

Traditionally, anti-virus vendors have used four different methods to detect broken replicants:-

  • Detect them as the virus and don’t offer disinfection
  • Detect them as -Dam (.Dam)
  • Detect them via more intensive user initiated scans after detection of main virus.
  • Not detect them

Customers seem to understand detection of broken samples however they have some difficulty comprehending non-detection (often requiring support to assure them that the sample is not only not viable but beyond repair.)