Jump to content
Nytro

Sality rootkit analysis

Recommended Posts

[h=1]Sality rootkit analysis[/h]

Sality is a well known family of file-infectors (or PE-infectors or just a viruses). And as malware it has a very long story of evolution since 2003. Latest it versions contain rootkit on board to complicate detection from side of AV-scanners.

Driver has such features:

  • Processes termination via NtTerminateProcess;
  • Blocking access to some AV web-resources via IP Filtering;
  • Small size ~ 5 KB.

root.jpg

According analysis, rootkit is targeted to Windows starting NT4 and finishing Vista. It should be said in advance that this rootkit is not a NEW and not contains some features which have modern rootkits or bootkits. Researched version of rootkit has appeared ITW since beginning of 2010.

Rootkit creates device with name:

\Device\amsint32

\DosDevices\amsint32

and this is signal to infection.

3.jpg

Rootkit contains usual most famous way of process killing, which is used by almost all "old-school" rootkits.

4.jpg

Sality uses old model of IP filtering for blocking access to web-resources that belong AV-vendors. This technique is called IP Filtering. More info: Windows 2000 Filter-Hook Driver example NT networking & kernel mode: drivers, articles, sources and MSDN http://msdn.microsoft.com/en-us/library/windows/hardware/ff548976(v=vs.85).aspx.

List of affected vendors:

1.jpg

This feature requires from driver to registering a callback function which will be called for IP-packets. This function will decide what to do with the packet: to forward it or drop.

6.jpg

Registered callback - fnFilterHookIP will looking for presence of AV-vendors strings in data of packet. In case of hit it forces IP-driver to drop this packet.

5.jpg

Encrypted AV vendors strings in it body:

8.jpg

Detection ratio:

7.jpg

SHA256: e0b193d47609c9622aa018e81da69c24b921f2ba682f3e18646a0d09ec63ac2b

SHA1: ef9a19ba89021179930888264290367b5d106a44

MD5: bf31a8d79f704f488e3dbcb6eea3b3e3

File size: 5157 bytes

half-life-1.jpg

posted by https://twitter.com/artem_i_baranov

Posted 15th January by Artem

Sursa: Security/malware blog: Sality rootkit analysis

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...