Malware comes in different sizes and shapes. Trojans, worms, viruses, downloaders, and others are becoming more common than common cold medicine. These malware are mixed and matched to produce as much damage as possible. Some are originally designed from scratch, and some are recycled from an old malware collection, either way they are still dangerous.

Malware that infects files are commonly known as file infector viruses. These types of viruses look for files in a computer system and infect them.

Infection is a process of placing the malware codes within a clean file – this is basically similar to a common cold virus that looks for a human host to infect. Computer viruses also look for a host file to infect.

There are different kinds of infections: prepending, appending, cavity, and etc. These kind of infections are how the virus attaches its malicious code to the host file. Prepending attaches at the beginning of the host file, appending attaches at the end, cavity places bits and pieces of its code in any open space in the host file, etc.

Virus authors know that they are being watched, or rather, their viruses are being studied and analyzed. So they are trying to find a way to make the virus analysts’ life harder. They try to encrypt their malware codes in order to conceal their behaviours. But, of course, if there is encryption, there must be a decryptor. Finding the decryptor is easy because they are regular codes that have the sole purpose of reverting back the encrrypted codes. They usually use single key to decrypt the malware codes. Sometimes, they used simple ADD, SUB or XOR assembly instructions to encrypt and decrypt.

The virus authors know that encryption is not enough. The next step is making the malicious codes polymorphic. Polymorphic file infectors have code which is not only encrypted, but the encryption key is different in each and every file. Some polymorphic malware even has a different algorithm, not only different keys.

Polymorphic file infectors not only make the virus analysts’ lives harder, they can also avoid detection from antivirus softwares altogether.

In this article, we are going to walk through a malware that infects files in a polymorphic way.

Polymorphic

Sality is a polymorphic file infector. It uses a simple polymorphic algorithm to decrypt its malware codes. Figure 1 shows the algorithm that decrypts the code.

Components of a decryption routine vary from malware to malware. For Sality, there are three main components: the starting location of the decrypted code, main decryption codes, and the number of iteration. The main decryption algorithm will be performed as long as the exit condition is not met; the exit condition is simply checking if the number of iteration is reached.

There is always a loop or jump back to the beginning of the main decryption routine. For this Sality variant, each encrypted byte will be passed to the routine and will be decrypted individually. Another interesting facts about Sality is its use of floating point instructions like, FILD, FISTP, FADDP, and so on. If an antivirus engine is not capable of simulating these instructions, it will be hard to detect the different variations of the replicated samples.

Let’s take a closer look at Sality’s decryption routine.

Sality replaces the first 123 bytes of the host file starting from the entry point. These bytes contain the deryption routine that will decrypt the rest of the virus body. While, a newly created section at the end of the infected file contains the encrypted virus body with a size of 0×5000 bytes.

Figure 1 shows the first bytes added to the host file. It is not as complicated as it looks. The highlighted instructions FINIT, FILD, FADDP, FISTP, and FIMUL are called floating point instructions. These instructions perform similarly to other arithmetic instructions in assembly language with a minor difference – the registers that they use. The special registers, also known as FPU (floating point unit) registers, consist of ST0, ST1, …, ST7. Each can hold up to 80 bits of information. Access to the values stored in these registers works like stack memory. ST0 always hold the current values which is being pushed and popped every time there is an FPU computation. Some antivirus software may not be able to emulate these instructions, thereby rendering them unable to produce the right values. Maybe Sality’s intention on using these instructions is to avoid detection.

In Figure 1, calling the block of instructions at 01010F14 sets up the number of iterations the loop should be executed. MOV ECX, 1018 and ADD ECX, 17E8 at addresses 01010F14 and 01010F25 respectively, effectively resulted in 0×2800, which is half of the virus body size. The number of iterations only needs 0×2800 because every pass on the routine decrypts a WORD value, equivalent to 2 bytes.

Figure 1. Sality’s decryption routine

The block of code starting at address 01010EEA up to 01010F07 is the actual computation that decrypts the encrypted bytes. It gets the encrypted WORD value and loads it to FPU register ST0 using FILD instruction at 01010EED. The value at ST0 register is multiplied using FIMUL to the content EBP + 401077 and saves the results back to ST0. The FISTP instruction converts the value of ST0 to DWORD and saves it at the top of the stack after executing the instruction at 01010EF8. These blocks of code gets executed over and over again until the counter at ECX reaches 0, after which the whole virus is decrypted.

Method of Infection

Sality is an appending virus. It attaches most of its virus code to the end of the host file. This variant of Sality makes a new section, which contains the encrypted virus code, at the end of the host.

Sections are simply blocks of binary value in an executable file. They can contain data, codes, and other information. Using the PEiD tool we can see a list of sections in a given executable file. Figure 2 shows the sections of a clean clipbrd.exe. It has 3 sections: .text, .data, and .rscr. These sections are common in most executable files in the Windows system.

 

Figure 2. Sections of a clean clipbrd.exe file.

 

Figure 3 shows the sections of a Sality-infected clipbrd.exe. We can see that an additional section, .ddata, has been added. This section contains the encrypted virus codes that will be decrypted in memory during runtime. By visual inspection, we can tell that the file has been infected.

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

 

Figure 3. Sections of a Sality-infected clipbrd.exe file.

Code Injection

Sality employs code injection to the running processes in the system. It looks for a running process like explorer.exe then attaches the dynamic library file, vcmgcd32.ll, which contains most of the malicious routine of Sality – including the infection. This DLL file is dropped during runtime, whenever an infected file is executed. For example, if an infected clipbrd.exe file is executed, it will drop the vcmgcd32.dll file.

When Sality drops the DLL file it reloads it back to its infected host as a library. Sality does the dropping and loading of its DLL due the polymorphic nature of the virus. When an infected file is executed, it decrypts the DLL codes and saves it as a DLL file, then loads it back into the main executable.

Figure 4. Running threads in clipbrd.exe.

Figure 5. Injected thread in explorer.exe process.

Figure 4 shows the threads from vcmgcd32.dll within the currently running infected clipbrd.exe file, while Figure 5 shows the same threads from the same DLL file within the running explorer.exe process.

Using the Process Explorer tool, we can observe that the dynamic library file, vcmgcd32.dll, used by the Sality-infected executable, is the same DLL file injected in some running processes. If you can see these in your computer systems it is highly likely that you are infected with Sality.

Terminates Antivirus/Security Related Processes

Sality will attempt to disable antivirus/security processes that match any of the names listed below.

Figure 6 shows the memory location from 10006814 to 100069B4 that contains the names.

 

NAV

AVP

KAV

DRWEB

OUTPOST

ZONEALARM

NOD32

ANTI

NMAIN

MCUPDATE

MGUI

NPROTECT

NUPGRADE

RTVSCAN

SAVSCAN

AUTOTRACE

AVSYNMGR

ATGUARD

AVGSERV

AVPROTECT

BIDEF

BIDSERVER

BIPCP

BLACKICE

CLEANER

DRWATSON

DRWTSN32

LOCKDOWN

MCAGENT

NPFMESSENGER

PERISCOPE

PINGSCAN

PORTDETECTIVE

PROTECTX

TRJSCAN

VSMAIN

AVLTMAIN

ESCANH

ICSSUPPNT

ICSUPP

AVXQUAR

       

 

Figure 6. Shows the names of AV/Security softwares in memory.

Mutex

It creates a mutex named “_kuku_joker_v3.09_” to synchronize its malwares actions as shown in Figure 7. Mutex is generally used to tell other threads or processes when a given shared resource is available or not.

Figure 7. Mutex created by Sality.

 

Internet Access

Sality tries to connect to certain URLs, possibly downloading additional malicious files (it varies in each version of the malware). This variant of Sality tries to check if the machine is connected to the internet by accessing www.microsoft.com, if it successful, the following URLs are also accessed:

 

he3ns1k******

***dcvns3sdsal

in******t1onupd

f5ds1jkk***

 

(Part of the URL names were removed to avoid accidental access to the site. Although, as of this writing, the URLs are not accessible online. ) Figure 8 shows the memory snapshot containing those URLs.
 

Figure 8. URL names in memory

 

Deleting Files and Infection

Drives from C: to Z: are being check if they exist or not and if the drive is a CD-ROM. Otherwise, the file named “KUKU300a” is created to check if the drive is writable and immediately deleted after.

Once Sality determines that the drive is writable and not a CD-ROM, it will proceed to look for files with the extension name .VDB and .AVC, and will delete them. Files with extension of .VDB and .AVC are commonly used by antivirus and security applications. Deleting these files will ensure that the antivirus/security applications using them won’t work properly.

Sality also deletes executable files (.EXE file extension) whenever the filename contains any of the given strings listed below:

 

KAV

NOD

ANTI

SCAN

ZONE

ANDA

TROJ

TREN

ALER

CLEAN

OUTP

GUAR

AVP

BIDEF

 

Even the executable files listed below will be deleted because they contain strings listed above:

 

RWANDA_MAP.exe

NODE.exe

CURRENTTREND.exe

GUARDIAN.exe

CLEAN.exe

ANTI-SCAN.exe

 

If the executable files (.EXE file extension) passed the filename checking, it will be infected with Sality.

Lastly, Sality also infects files that have .SCR extension. 

Last Thought

Nowadays, viruses are not as common as Trojans, worms, and information stealers. But when they do come, they are harder to clean, they are complicated with polymorphic codes, and they are doing new things we haven’t seen them do before. Because they attach themselves to executable files, sometimes when we try to remove them, the original file is not so original anymore. Often times, we will end up restoring the whole computer system. And if your system is already compromised, it is really, really hard to get rid of them.

One of the best ways to avoid viruses is to install an antivirus software and always update it with the latest signatures and detection. In addition, always update your operating system with the latest patches.

Although, there are lot of things we need to do to have a safe computing experience, those that I mentioned above will keep you at bay 50 percent of the time. And knowing how to use some free tools like PEiD and Process Explorer, armed with the information on what the malware does, can also help. At least, it will help let you know if you are infected or not.

And, of course, we have to be vigilant all the time.

References

  1. PEiD, http://www.peid.info/
  2. Process Explorer, http://technet.microsoft.com/en-us/sysinternals/bb896653