As my colleague Righard Zwienenberg wrote about in Combofix: a cocktail of infective factors, ESET’s threat researchers received a surprise earlier this week when they began receiving reports from ESET LiveGrid, our threat telemetry system, that downloads of ComboFix, a tool popular with advanced users for removing malware, were detected as being infected by a variant of the Sality virus, Win32/Sality.NBA. Now, if the name Sality sounds familiar to you, there’s a reason for that: The Sality virus family is over five years old now, and has been appearing in the Top Ten section of ESET’s Global Threat Reports since at least April 2010 [PDF]. At its peak in October 2011, the Sality family of viruses accounted for nearly 6% of infections seen worldwide, according to data from ESET’s VirusRadar site, which I’ve presented below:
Win32/Sality family detections from 2007/Q3 – present [source: virusradar.com]
In his blog post, Righard explains in detail the chronology of events surrounding how a component of ComboFix was infected, so I am not going to go into further detail about that for now, but this incident brings up several important questions, the foremost of which being, what is the Sality virus?
Perhaps the most notable thing about Sality is that it is what malware researchers refer to recursively self-replicating code, or by its more popular term, a computer virus. While it might seem strange that an anti-malware company considers this out of the ordinary, there’s a reason for that. In this day and age, most of the malware we see is not recursively self-replicating, i.e., they do not use viral mechanisms for propagating. The types of threats we most often encounter, such as Trojan horses, bots, rootkits and other forms of malware, will often infect a system by either tricking the user into running them or by taking advantage of vulnerabilities in operating systems or applications to run themselves. And, once they have infected a system, they do not replicate ad infinitum like a computer virus of old. But as I said before, Sality is a little different than most of the malware we see on a daily basis.
First of all, one thing we should be clear about: The Sality family of viruses has been around for years, and contains thousands of variants, many of which behave and act in slightly different fashions as the virus has been modified over time. Also, the Sality virus family spreads and maintains its presence on infected PCs using several non-viral mechanisms, as well. This means that while Sality is technically classified as a virus, it also engages in behavior similar to worms and other threats, so it’s important to remember there’s more to Sality than just virus-like behavior. Here’s a brief rundown on some of Sality’s behavior from a few of the samples we’ve seen over the past year:
I have ordered the list above alphabetically rather than by how the actions are performed by the virus. The reason for this is it allowed me to place the last two actions at the end. I wanted to emphasize those because it is these file-infecting behaviors which allow researchers to classify Sality as a bona-fide parasitical file-infecting computer virus.
In addition to all of the above, the Sality virus code is polymorphic, which means that it encrypts and decrypts its program code each time it infects a file so that no two infections appear to the same when looked at side-by-side in a debugger. Also, the virus often will overwrite portions of executable files when infecting them, damaging them so they no longer work correctly. While it would be easy to pass this damage off as inexperience or simply laziness on the part of the author(s) of the virus, the fact that this programming error—or bug—remains in the virus code after so many years indicates they are quite content to damage infected systems, as opposed to simply stealing resources from them like other malware. This kind of destructive behavior is reminiscent of that from file infecting viruses back in the DOS era.
If you were infected by the Sality virus, I strongly recommend contacting ESET’s technical support department for assistance, as they have the skills and the expertise to help you make your system malware-free. If you would like to remove it yourself, be sure to read ESET Knowledgebase Article #3146, “How do I remove Sality or Virut Malware” for further information on removing this virus.
Another question that you are probably asking yourself is why don’t anti-malware programs get infected more often? Back when file-infecting viruses were the norm, rather than the exception, this used to be a more common occurrence: A DOS-based anti-virus program would get infected by a computer virus, and then go on to spread the virus it was infected with to each file as it opened it to scan them for viruses. As a result of this, anti-virus developers began to develop sophisticated anti-tamper mechanisms and build them into their software to ensure this behavior. Modern anti-malware programs contain similar technologies, but the relative lack of file-infectors means most users will never see a warning that their security software has been modified by a computer virus.
In the case of ComboFix, the infection did not occur from a copy being passed around through countless hands, but at the source of the program. Since Righard Zwienenberg covered that already in his blog post here, I am not going to go into further detail, except to note that a combination of factors was involved, including the developer working with faulty hardware.
No matter how careful you are, no matter what policies and procedures you have in place, accidents can and do happen. That’s why anti-malware companies spend a lot of time and money developing the policies and procedures under which their anti-malware research goes on, especially the parts that involve working with malware. While I am not going to provide an exhaustive list of the activities anti-malware companies take, I’d like to give you a few examples:
Those are just a few of the things a company that makes tools to fight malware does to protect itself and its customers when creating anti-malware software. As you might imagine, having different equipment, operating systems, policies and procedures increases costs because you are now increasing the number of vendors you deal with while decreasing the amount of total purchases with each one, but that is a essentially an operating cost for this type of work.
It is important to keep in mind, though, that what matters most is not all of the equipment and techniques used to “quarantine” the handlers of malware within the organization, but rather inculcating the proper behavior for handling malware within the organization. And this can be done at any anti-malware company, regardless of scale.
As for the ComboFix team, they solved the issue and I am quite happy with the speed of their response, and the transparency with which it occurred. It takes years of experience to come up the types of the policies and procedures to deal with such things, no matter how hypothetical they may seem. The people behind ComboFix have been delivering a valuable—and, I might add, uninfected—program to the community free-of-charge for years now, in addition to providing expert guidance in removing all forms of malware. I expect that to continue for many years into the future, or as long as there is malware to be fought.
Aryeh Goretsky, MVP, ZCSE
Author Aryeh Goretsky, We Live Security