One of the more active families of file infecting viruses, Sality, has this week received a major overhaul in its infection method.
Sality has been a major headache to AV companies and their customers due to constant changes in its polymorphic engine, tendencies to irreparably corrupt files and the extent of the damage that can be caused if it manages to gain a toe-hold on a corporate network.
The latest incarnation, Mal/Sality-C, still uses the old methods to spread of infecting executable files on local and networked disks and infecting a copy of notepad.exe or winmine.exe and planting it on removable drives, but this latest version uses a different tactic to gain control of the host PE file.
Previous incarnations of the virus would replace a small amount of the code at the host’s entry point with polymorphic code that served to transfer control to virus stub code at the end of the file. This code then decrypted the main virus body which ran rampant through the system.
Mal/Sality-C uses a technique called Entry Point Obscuring or Mid-infecting. This time, instead of the code at the host entry point being replaced, a call instruction (opcode e8) is placed somewhere inside the code section in the host file which transfers control to the end of the file where the virus is. This makes it harder to find the start of the virus (hence Entry Point Obscuring) but does not guarantee that the virus code will be executed in all circumstances.
It is interesting to note that this is a technique that the Vetor family and the latest generation Scribble use to infect files and there are also indicators that this is perhaps an “alpha” attempt at this technique for the Sality author.
Older versions of the virus used the RC4 algorithm to encrypt the main virus body whereas the latest version uses a much simpler addition/subtraction scheme. We don’t expect it to be long before more complexity is re-introduced.
Needless to say we will be on the lookout for new variants, but in the mean time our customers are well protected in the form of Mal/Sality-C, Mal/Sality-Gen, Sus/Sality-A and using HIPS runtime protection.