Quantcast
Channel: A blog about rootkits research and the Windows kernel
Viewing all articles
Browse latest Browse all 58

Sality rootkit analysis

$
0
0
Sality is a well known family of file-infectors (or PE-infectors or just a viruses). And as malware it has a very long story of evolution since 2003. Latest it versions contain rootkit on board to complicate detection from side of AV-scanners.

Driver has such features:
  • Processes termination via NtTerminateProcess;
  • Blocking access to some AV web-resources via IP Filtering;
  • Small size ~ 5 KB.

According analysis, rootkit is targeted to Windows starting NT4 and finishing Vista. It should be said in advance that this rootkit is not a NEW and not contains some features which have modern rootkits or bootkits. Researched version of rootkit has appeared ITW since beginning of 2010.

Rootkit creates device with name:

\Device\amsint32
\DosDevices\amsint32

and this is signal to infection.


Rootkit contains usual most famous way of process killing, which is used by almost all "old-school" rootkits.
Sality uses old model of IP filtering for blocking access to web-resources that belong AV-vendors. This technique is called IP Filtering. More info: Windows 2000 Filter-Hook Driver example http://ntdev.h1.ru/ipfilter.html and MSDN http://msdn.microsoft.com/en-us/library/windows/hardware/ff548976(v=vs.85).aspx

List of affected vendors:

This feature requires from driver to registering a callback function which will be called for IP-packets. This function will decide what to do with the packet: to forward it or drop.

Registered callback - fnFilterHookIP will looking for presence of AV-vendors strings in data of packet. In case of hit it forces IP-driver to drop this packet.

Encrypted AV vendors strings in it body:


Detection ratio:


SHA256: e0b193d47609c9622aa018e81da69c24b921f2ba682f3e18646a0d09ec63ac2b
SHA1:ef9a19ba89021179930888264290367b5d106a44
MD5:bf31a8d79f704f488e3dbcb6eea3b3e3
File size: 5157 bytes





Viewing all articles
Browse latest Browse all 58

Trending Articles