During the last Christmas season, a phishing email with an executable named as greetings.exe was broadly sent, and when the email was executed, an image named ‘xmas’ was drawn on the screen. This has captured the eyes of many security analysts, as the firewall and other prevention measures were disabled. Upon thorough investigation, it was concluded that it was a Trojan classified as Sality.AM, and many files were dropped in the %WINDIR%/TEMP directory.
The Sality.AM malware infects the file in the system and also in the network shares and removable drives. It contacts C&C server and downloads malicious payloads and additional executable files, thus providing backdoor access to intruders.
It deletes the registry keys that are used to boot windows in Safe Mode and thus prevents an administrative startup. Sality blocks access to sites of major AV providers like Kaspersky, ESET, TrendMicro, McAfee and Virus Total to make the access to anti-virus tools much harder. When executed, it modifies a large range of registry values and also disable services related to major AV software. It executes in the temp folder and runs as a batch file and creates an application-defined hook procedure installed into the hook chain in order to perform malicious activity. It then weakens the system security by disabling firewall and UAC notifications. Sality can affect the productivity of a firm in a greater depth since it has the capability to infect the files in the network and other shared drives, thus infecting the whole network.
Initially, the compromised machine was isolated and the malicious executable was tracked down. The malware was zipped and password protected from the compromised machine and transferred securely to the malware analysis environment.
The sample that was collected from the infected machine was extracted and loaded to Cuckoo Sandbox for automated malware analysis. When executed, it popped up a picture file named xmas.jpg, shown below.
File details obtained from the malware sample
Detection vectors from Virus Total
On Cuckoo Analysis, it was found that many malicious files were dropped during the execution phase of Sality malware. This malicious drop includes greetings.exe, spoolsv.exe,run.bat, and mirc.ico. The spoolsv.exe perform the hooking process and perform malicious actions which imitate the legitimate printer spooler process. The autorun.inf is a text file that is used to enable autorun and autoplay components of the Windows operating system. By enabling autoplay of Windows, it will be easier for the Sality malware to infect the removable dirves when plugged into the system.
Files dropped by the Sality malware
A list of mutexes were listed during the automated malware analysis, and it was found that Op1mutx9 is the mutex that is intended for the malicious process. This mutex is used to avoid the infection of the system from multiple instances of the Sality malware itself.
A connection was observed from a C&C server to Lelystad.nl.eu.undernet.org, which is used by the malware authors to retrieve a malicious payload. This malicious payload can be used to further affect the infected system.
(Network connections associated with the Sality malware)
After the automated analysis, the malware was loaded into PEiD to check whether it was packed or not. PEid detects most common packers and compilers and after the analysis it was found that the malware was not packed.
Then the malware was executed in an isolated virtual machine and Process Explorer was used to detect which process was used to run the malware. After executing the malware a new process was created and was listed in the Process Explorer as spoolsv.exe.
Process Explorer showing spoolsv.exe
A legitimate Spoolsv.exe is a print spooler process file from the Microsoft Corporation, so it is digitally signed from Microsoft Windows Component Publisher. But in this case, spoolsv.exe was signed by a vendor named MiRC Co. Ltd. MiRC is an IRC client for Windows that has file sharing capabilities, and in this case the legitimate IRC was used maliciously by the Sality malware. Here a bot master can control the infected machine by using this IRC, and malicious commands can be passed to the infected machine to perform activities like sending spam mails, DoS attacks, mining bitcoins, etc.
Process Explorer Analysis showing vendor of spoolsv.exe
By looking on the strings tab on Process Explorer, it was identified that there are rules written to connect to the IRC channel and thus allow the remote attacker to control the system. Thus the malware connects to an IRC channel and possesses a great threat to the system.
(Strings Analysis on Process Explorer)
After that, it was observed that the registry modifications were made using Regshot. On analysis, a number of new values were added to the registry, and also a lot of registry key values were modified.
The first section displays the modification of registry keys to diminish security modules of Windows, like activity of overriding the Antivirus, disabling the notifications from the AV vendors,and disabling the UAC notifications and firewall.
The second section in the RegShot displays the actions of malware, like the entry of its process as a authorized one in the firewall exception.
The malware sample was then uploaded in the IDAPro for the trace of malicious code. A registry key modification code was revealed that can be used to check for the files for the infection process. From this we can understand that the malware infects the files under the Program Files directory on the C drive with .exe extension.
In order to capture the network activity, Wireshark or RSA Netwitness Investigator is run to find traffic to C&C server eu.undernet.org that commands performance of malicious activities. Also a malicious IP was traced out from which an ongoing connection to the infected system was carried out.
(Netwitness showing malicious C&C server)
Volatility is used to drill down for artifacts in memory that on subsequent analysis two exe files were found. These exe files were copied into the temp folder and then infected. The notepad.exe and winmine.exe file were executed under the System32 folder and exited during the execution phase of the malware.
The Sality malware executes under the temp\spoolsv folder and executes by running a ‘run.bat’ script. Here under spoolsv folder four files were dropped, namely ident.txt, fullname.txt, com.mrc and xmas.jpg. The ident.txt files contains a long list of names, fullname.txt contains a list of email addresses.
Execution folder of Sality
Here the com.mrc contains user name and password combinations and these login credentials are used by the malware to contact the underground C&C and thus additional malwares can be injected into the system.
(C&C login credentials)
Sality malware disables the task manager and when task manager is enabled by the user it displays the following pop up. By disabling the task manager, the malware disables the authority of the infected user to view the processes that are running and thus make the malware to run more malicious processes.
Task Manager disabled
It also disables the registry editor of the system and thus no registry modification can be made to the system. Thus the modified registry values cannot be changed manually by the user.
Registry Editor disabled
The firewall will be disabled at the point of execution of the malware. Registry modifications were made to disable the firewall and thus made the system vulnerable to other malicious payloads from the C&C server.
It disables showing of hidden files by Windows Explorer by modifying the registry value
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden. After infection, the Folder options cannot be changed to ‘Show hidden files and folders’.
Files and Folder hiding tab
- Use Security Policy Editor to prevent execution of the malware under the %Windir%\temp\spoolsv folder.
- The malware uses Windows Autorun function to spread via removable drives and other shared drives, so Autorun feature should be disabled to prevent the further infection of the malware.
- Scan removable drives with a good AV solution and a rootkit detector for complete removal of the infection parameters.
- The malware adds exceptions in the firewall and these exceptions must be removed from firewall.
- If the infection has occurred, then use a System State backup that was created for the particular Windows system prior to the incident, and restore the security settings to a working state.
- Reset Internet Explorer settings to remove the malicious injections to the browser.
- Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
- Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
- Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
- Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
- Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses.
- Block all C&C traffic leaving your network as the malware may attempt to remotely control the infected system.
- Ensure that the systems are up to date with the latest available patches, particularly Internet Explorer and the Firefox browser if present.
- Block traffic to the following domains in your perimeter devices such as Firewalls and IPS solutions