In this section

• Home
• Security
• SophosLabs blog
• 2008
• 05

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

23 May 2008 03:00 GMT

Broken Sality keeps on giving

Since its initial appearance back in 2003 the Sality (aka KuKu) parasitic virus has come and gone from the radar as its authors continue to re-release updates but none has caused more interest than the W32/Sality-AM variant due to its propensity to damage files upon infection.

Upon analysis of the most recent samples it was evident that there is a major bug in the infection routine causing files to be incorrectly modified during infection. So called ‘broken infections’ have been observed in a number of states ranging from ‘viable infection, broken host’ to ‘broken infection, broken host’, but unfortunately as far as the customer is concerned they simply want the infection gone and their files fixed.

     ;; a very broken sample - should we detect ???
.text:0100739D 60                   pusha
.text:0100739E E8 00 00 00 00       call $+5
.text:010073A3 01 E8                add  eax, ebp
.text:010073A5 BF 01 00 00 33       mov  edi, 33000001h
.text:010073AA DB 53 8B             fist dword ptr [ebx-75h]
.text:010073AD 3D CC 10 00 01       cmp  eax, offset GetModuleHandleA
.text:010073B2 FF D7                call edi  ;; goes to la-la land !!!
             ;; hrm...the rest of the host i wonder ???
.text:010073B4 66 81 38 4D 5A       cmp  word ptr [eax], 5A4Dh
.text:010073B9 75 1F                jnz  short loc_10073DA
.text:010073BB 8B 48 3C             mov  ecx, [eax+3Ch]
.text:010073BE 03 C8                add  ecx, eax
.text:010073C0 81 39 50 45 00 00    cmp  dword ptr [ecx], 4550h

From a malware author’s perspective such bugs are a non-issue as long as the virus replicates. However, for an anti-malware vendor this is much more of a problem, not only because disinfection (recovery of the host) may no longer be possible but because some infected files are so corrupt that they avoid detection.

Different anti-malware products use varied techniques to identify an infected file they may not all report broken samples as infectious. This is often difficult to explain to customers who run multiple anti-virus products, and although neither response is wrong, neither is entirely correct.

Traditionally, anti-virus vendors have used four different methods to detect broken replicants:-

• Detect them as the virus and don’t offer disinfection

• Detect them as -Dam (.Dam)

• Detect them via more intensive user initiated scans after detection of main virus.

• Not detect them

Customers seem to understand detection of broken samples however they have some difficulty comprehending non-detection (often requiring support to assure them that the sample is not only not viable but beyond repair.)

Pete, SophosLabs AU

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot