Win32/Sality network activity

Arkady Kovtun CA - HCL

Since 2003 anti-virus companies have been detecting a Sality polymorphic virus, but recently there has been a developing trend in Sality variants. They infect executables in the OS, create a network of compromised systems, disable most popular security solutions and leave an infected machine without a chance to return to its regular activity. The Sality variants are used to open up a channel through which private information can be stolen, including the OS version, IPs, computer name, passwords and ISP dial up connections. They also provide an attacker with the opportunity to achieve unauthorized access to infected machines. As a result, if a bunch of infected machines exists, Sality variants will continue with further malicious activities, such as the launch of distributed attacks, spam and further malware spreading in order to expand their attack and increase the attacker's power. This paper will characterize Sality activity and explain how this network occurs and which worms download the Sality variants.

This paper will also present information about the Sality backdoor, rootkit, trojan functionality and ways in which attackers make a profit from the Sality variants.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.