Sality is a sophisticated, complex and extremely dangerous computer virus. If you have any hint that your PC got infected with Sality, you should act with caution and deal with Sality as quickly as humanly possible. Sality can be harmful to your computer and to you in a startling variety of ways, because Sality includes features or components of every major kind of malware and regularly changes itself, continuously becoming more malicious and harder to detect than it was before.
The Sality virus first appeared in Russia in 2003. Since then, Sality has continued to be a threat, and Sality has spread throughout the world, historically with an especially strong presence in Brazil. Sality was one of the most prevalent viruses of 2010, and there was a major increase in the number of infections at the end of the year, when a new mutation of the virus appeared. Some researchers have stated that Sality is currently one of the five most common threats detected on computers.
Strictly speaking, Sality began as a backdoor as a way of bypassing ordinary computer security measures. Although Sality still has this feature and the infection still begins with a backdoor, Sality has grown and evolved over the years to include in its functioning practically every known variety of malware. That is not an exaggeration – in addition to the backdoor, Sality’s features include viruses, keyloggers, rootkits, worms, Trojans, downloaders, botnets, adware and zero-hour Windows exploits. Sality has the common features of a classic virus, as well as some very modern and very dangerous capabilities.
How Sality Works
At present, a Sality infection might begin with the use of an infected thumb drive which will infect your computer beginning with a worm or Sality can infect your computer beginning with a Trojan, after you click on an infected spam email or download an infected file. One way or another, once Sality is present, Sality opens a backdoor;, and can download other malware; or communicate secretly with a botnet controller or whoever propagated the virus in the first place.
Then Sality sets itself up to do its damage. Sality takes a look at what is on your system, infects local .exe and .scr files, disables or deletes security software and firewalls and writes malicious files. Sality can even alter your computer to prevent Windows from being able to start in Safe Mode. It can then install a keylogger to capture keystrokes and steal user names and passwords, credit card numbers or other sensitive information. Sality can also create a worm that will infect all removable media, especially USB thumb drives, and cause the virus to install itself automatically on whichever computer you connect the USB drive to next.
New Developments of Sality
Recently, Sality has been used to create ‘zombie computers’ and to add infected computers to botnets. In other words, Sality is being used in order to give hackers remote access to infected systems, and to use those systems to spread spam, create fraudulent web clicks or launch Denial Of Service attacks against targeted websites – all without the knowledge of the owners of the infected computers. A recent estimate of the size of the Sality botnet puts the number of computers connected through Sality at 100,000.
Beginning in the summer of 2010, there were reports that Sality was infecting computers through a Trojan that takes advantage of what was a so-called ‘zero-hour’ vulnerability in Windows, by exploiting the way Windows handled shortcuts. In this way, Sality is similar to the virus Stuxnet. Basically, the Trojan infects the computer and creates a .dll file and a .lnk file somewhere, and as soon as you navigate to the directory where the .lnk file is stored, the .dll is activated and Sality jumps to action. Since the vulnerability was discovered, Microsoft has issued Windows updates to repair the vulnerability. Nonetheless, recently, this vulnerability has been a major cause of the increase in infection rates of Sality, because many people simply do not update Windows frequently enough or at all.
Sality continues to be a significant threat largely due to its polymorphic nature. It can alter its own code by encrypting itself differently for each different file or computer Sality infects, which is meant to make Sality difficult to be detected through scans. In any case, experts believe that the creators of Sality have the ultimate goal of using Sality to gather up and incorporate as much damaging and detrimental code as possible. Therefore, continued vigilance against Sality will likely be a necessity in the foreseeable future.
How Can You Detect Sality?
Sality Technical Report
As new Sality details are reported by our customers and findings from our Threat Research Center, we will update this section.
The following Sality files with its MD5s were created in the system:
|File Name||File Size||MD5|
Sality Removal Details
Sality has typically the following processes in memory: