A Few Words on Malware - The Sality Way
Malware comes in different sizes and shapes. Trojans, worms, viruses, downloaders, and others are becoming more common than common cold medicine. These malware are mixed and matched to produce as much damage as possible. Some are originally designed from scratch, and some are recycled from an old malware collection, either way they are still dangerous.
Malware that infects files are commonly known as file infector viruses. These types of viruses look for files in a computer system and infect them.
11 courses, 8+ hours of training
11 courses, 8+ hours of training
Infection is a process of placing the malware codes within a clean file – this is basically similar to a common cold virus that looks for a human host to infect. Computer viruses also look for a host file to infect.
There are different kinds of infections: prepending, appending, cavity, and etc. These kind of infections are how the virus attaches its malicious code to the host file. Prepending attaches at the beginning of the host file, appending attaches at the end, cavity places bits and pieces of its code in any open space in the host file, etc.
Virus authors know that they are being watched, or rather, their viruses are being studied and analyzed. So they are trying to find a way to make the virus analysts' life harder. They try to encrypt their malware codes in order to conceal their behaviours. But, of course, if there is encryption, there must be a decryptor. Finding the decryptor is easy because they are regular codes that have the sole purpose of reverting back the encrrypted codes. They usually use single key to decrypt the malware codes. Sometimes, they used simple ADD, SUB or XOR assembly instructions to encrypt and decrypt.
The virus authors know that encryption is not enough. The next step is making the malicious codes polymorphic. Polymorphic file infectors have code which is not only encrypted, but the encryption key is different in each and every file. Some polymorphic malware even has a different algorithm, not only different keys.
Polymorphic file infectors not only make the virus analysts' lives harder, they can also avoid detection from antivirus softwares altogether.
In this article, we are going to walk through a malware that infects files in a polymorphic way.
Polymorphic
Sality is a polymorphic file infector. It uses a simple polymorphic algorithm to decrypt its malware codes.
Components of a decryption routine vary from malware to malware. For Sality, there are three main components: the starting location of the decrypted code, main decryption codes, and the number of iteration. The main decryption algorithm will be performed as long as the exit condition is not met; the exit condition is simply checking if the number of iteration is reached.
There is always a loop or jump back to the beginning of the main decryption routine. For this Sality variant, each encrypted byte will be passed to the routine and will be decrypted individually. Another interesting facts about Sality is its use of floating point instructions like, FILD, FISTP, FADDP, and so on. If an antivirus engine is not capable of simulating these instructions, it will be hard to detect the different variations of the replicated samples.
Let's take a closer look at Sality's decryption routine.
Sality replaces the first 123 bytes of the host file starting from the entry point. These bytes contain the deryption routine that will decrypt the rest of the virus body. While, a newly created section at the end of the infected file contains the encrypted virus body with a size of 0x5000 bytes.
The instructions FINIT, FILD, FADDP, FISTP, and FIMUL are called floating point instructions. These instructions perform similarly to other arithmetic instructions in assembly language with a minor difference - the registers that they use. The special registers, also known as FPU (floating point unit) registers, consist of ST0, ST1, ..., ST7. Each can hold up to 80 bits of information. Access to the values stored in these registers works like stack memory. ST0 always hold the current values which is being pushed and popped every time there is an FPU computation. Some antivirus software may not be able to emulate these instructions, thereby rendering them unable to produce the right values. Maybe Sality's intention on using these instructions is to avoid detection.
Calling the block of instructions at 01010F14 sets up the number of iterations the loop should be executed. MOV ECX, 1018 and ADD ECX, 17E8 at addresses 01010F14 and 01010F25 respectively, effectively resulted in 0x2800, which is half of the virus body size. The number of iterations only needs 0x2800 because every pass on the routine decrypts a WORD value, equivalent to 2 bytes.
The block of code starting at address 01010EEA up to 01010F07 is the actual computation that decrypts the encrypted bytes. It gets the encrypted WORD value and loads it to FPU register ST0 using FILD instruction at 01010EED. The value at ST0 register is multiplied using FIMUL to the content EBP + 401077 and saves the results back to ST0. The FISTP instruction converts the value of ST0 to DWORD and saves it at the top of the stack after executing the instruction at 01010EF8. These blocks of code gets executed over and over again until the counter at ECX reaches 0, after which the whole virus is decrypted.
Method of Infection
Sality is an appending virus. It attaches most of its virus code to the end of the host file. This variant of Sality makes a new section, which contains the encrypted virus code, at the end of the host.
Sections are simply blocks of binary value in an executable file. They can contain data, codes, and other information. Using the PEiD tool we can see a list of sections in a given executable file. A clean clipbrd.exe has 3 sections: .text, .data, and .rscr. These sections are common in most executable files in the Windows system.
In a Sality-infected clipbrd.exe, we can see that an additional section, .ddata, has been added. This section contains the encrypted virus codes that will be decrypted in memory during runtime. By visual inspection, we can tell that the file has been infected.
Code Injection
Sality employs code injection to the running processes in the system. It looks for a running process like explorer.exe then attaches the dynamic library file, vcmgcd32.ll, which contains most of the malicious routine of Sality - including the infection. This DLL file is dropped during runtime, whenever an infected file is executed. For example, if an infected clipbrd.exe file is executed, it will drop the vcmgcd32.dll file.
When Sality drops the DLL file it reloads it back to its infected host as a library. Sality does the dropping and loading of its DLL due the polymorphic nature of the virus. When an infected file is executed, it decrypts the DLL codes and saves it as a DLL file, then loads it back into the main executable.
Using the Process Explorer tool, we can observe that the dynamic library file, vcmgcd32.dll, used by the Sality-infected executable, is the same DLL file injected in some running processes. If you can see these in your computer systems it is highly likely that you are infected with Sality.
Terminates Antivirus/Security Related Processes
Sality will attempt to disable antivirus/security processes that match any of the names listed below.
AVP
KAV
DRWEB
OUTPOST
NOD32
ANTI
NMAIN
MCUPDATE
NPROTECT
NUPGRADE
RTVSCAN
SAVSCAN
AVSYNMGR
ATGUARD
AVGSERV
AVPROTECT
BIDSERVER
BIPCP
BLACKICE
CLEANER
DRWTSN32
LOCKDOWN
MCAGENT
NPFMESSENGER
PINGSCAN
PORTDETECTIVE
PROTECTX
TRJSCAN
AVLTMAIN
ESCANH
ICSSUPPNT
ICSUPP
Mutex
It creates a mutex named "_kuku_joker_v3.09_" to synchronize its malwares actions. Mutex is generally used to tell other threads or processes when a given shared resource is available or not.
Internet Access
Sality tries to connect to certain URLs, possibly downloading additional malicious files (it varies in each version of the malware). This variant of Sality tries to check if the machine is connected to the internet by accessing www.microsoft.com, if it successful, the following URLs are also accessed:
he3ns1k******
***dcvns3sdsal
in******t1onupd
f5ds1jkk***
(Part of the URL names were removed to avoid accidental access to the site. Although, as of this writing, the URLs are not accessible online.)
Deleting Files and Infection
Drives from C: to Z: are being check if they exist or not and if the drive is a CD-ROM. Otherwise, the file named "KUKU300a" is created to check if the drive is writable and immediately deleted after.
Once Sality determines that the drive is writable and not a CD-ROM, it will proceed to look for files with the extension name .VDB and .AVC, and will delete them. Files with extension of .VDB and .AVC are commonly used by antivirus and security applications. Deleting these files will ensure that the antivirus/security applications using them won't work properly.
Sality also deletes executable files (.EXE file extension) whenever the filename contains any of the given strings listed below:
KAV
NOD
ANTI
SCAN
ZONE
ANDA
TROJ
TREN
ALER
CLEAN
OUTP
GUAR
AVP
BIDEF
Even the executable files listed below will be deleted because they contain strings listed above:
RWANDA_MAP.exe
NODE.exe
CURRENTTREND.exe
GUARDIAN.exe
CLEAN.exe
ANTI-SCAN.exe
If the executable files (.EXE file extension) passed the filename checking, it will be infected with Sality.
Lastly, Sality also infects files that have .SCR extension.
Last Thought
Nowadays, viruses are not as common as Trojans, worms, and information stealers. But when they do come, they are harder to clean, they are complicated with polymorphic codes, and they are doing new things we haven't seen them do before. Because they attach themselves to executable files, sometimes when we try to remove them, the original file is not so original anymore. Often times, we will end up restoring the whole computer system. And if your system is already compromised, it is really, really hard to get rid of them.
One of the best ways to avoid viruses is to install an antivirus software and always update it with the latest signatures and detection. In addition, always update your operating system with the latest patches.
Although, there are lot of things we need to do to have a safe computing experience, those that I mentioned above will keep you at bay 50 percent of the time. And knowing how to use some free tools like PEiD and Process Explorer, armed with the information on what the malware does, can also help. At least, it will help let you know if you are infected or not.
And, of course, we have to be vigilant all the time.
References
- PEiD, http://www.peid.info/
- Process Explorer, http://technet.microsoft.com/en-us/sysinternals/bb896653