Precursors

As my colleague Righard Zwienenberg wrote about in Combofix: a cocktail of infective factors,  ESET’s threat researchers received a surprise earlier this week when they began receiving reports from ESET LiveGrid, our threat telemetry system, that downloads of ComboFix, a tool popular with advanced users for removing malware, were detected as being infected by a variant of the Sality virus, Win32/Sality.NBA.  Now, if the name Sality sounds familiar to you, there’s a reason for that:  The Sality virus family is over five years old now, and has been appearing in the Top Ten section of ESET’s Global Threat Reports since at least April 2010 [PDF].  At its peak in October 2011, the Sality family of viruses accounted for nearly 6% of infections seen worldwide, according to data from ESET’s VirusRadar site, which I’ve presented below:

Win32/Sality family detections from 2007/Q3 – present [source: virusradar.com]

In his blog post, Righard explains in detail the chronology of events surrounding how a component of ComboFix was infected, so I am not going to go into further detail about that for now, but this incident brings up several important questions, the foremost of which being, what is the Sality virus?

The Salient Facts

Perhaps the most notable thing about Sality is that it is what malware researchers refer to recursively self-replicating code, or by its more popular term, a computer virus. While it might seem strange that an anti-malware company considers this out of the ordinary, there’s a reason for that.  In this day and age, most of the malware we see is not recursively self-replicating, i.e., they do not use viral mechanisms for propagating.  The types of threats we most often encounter, such as Trojan horses, bots, rootkits and other forms of malware, will often infect a system by either tricking the user into running them or by taking advantage of vulnerabilities in operating systems or applications to run themselves.  And, once they have infected a system, they do not replicate ad infinitum like a computer virus of old.  But as I said before, Sality is a little different than most of the malware we see on a daily basis.

First of all, one thing we should be clear about:  The Sality family of viruses has been around for years, and contains thousands of variants, many of which behave and act in slightly different fashions as the virus has been modified over time.  Also, the Sality virus family spreads and maintains its presence on infected PCs using several non-viral mechanisms, as well.  This means that while Sality is technically classified as a virus, it also engages in behavior similar to worms and other threats, so it’s important to remember there’s more to Sality than just virus-like behavior.  Here’s a brief rundown on some of Sality’s behavior from a few of the samples we’ve seen over the past year:

  • connects to a command-and-control (C&C) server on the Internet
  • creates exceptions in the Window Firewall rules to allow it network access or disables the Windows Firewall entirely
  • creates threads with fake program names such as %system%\cmd.exe%system%\notepad.exe, %system%\regedt32.exe%system%\telnet.exe or %system%\write.exe to hide its presence in memory
  • deletes files, disable services and terminates processes from several dozen different security programs
  • downloads two files from a list of embedded URLs, and saves them with random names into the %temp% directory with .EXE extensions
  • drops a copy itself in the root directory of all removable media drives with a random filename and an extension of .CMD.EXE or .PIF and creates an AUTORUN.INF file on all removable media drives to run the dropped file
  • drops a copy of itself as a randomly-named file in the %windir%\system32\drivers\ directory with a .SYS extension
  • drops two copies of itself with random names into the %temp% directory with .EXE extensions
  • modifies the SYSTEM.INI file to launch itself when the system is booted
  • registers itself as system service
  • searches local and network drives for files with .EXE or .SCR extensions and infects them by adding its code to the actual file so that attempts to launch the file first run the viral code
  • searches some of the Run keys in the registry for the names of programs which run at startup and then infects them, depending on their paths

I have ordered the list above alphabetically rather than by how the actions are performed by the virus.  The reason for this is it allowed me to place the last two actions at the end.  I wanted to emphasize those because it is these file-infecting behaviors which allow researchers to classify Sality as a bona-fide parasitical file-infecting computer virus.

Rubbing Salt in the Wound

In addition to all of the above, the Sality virus code is polymorphic, which means that it encrypts and decrypts its program code each time it infects a file so that no two infections appear to the same when looked at side-by-side in a debugger.  Also, the virus often will overwrite portions of executable files when infecting them, damaging them so they no longer work correctly.  While it would be easy to pass this damage off as inexperience or simply laziness on the part of the author(s) of the virus, the fact that this programming error—or bug—remains in the virus code after so many years indicates they are quite content to damage infected systems, as opposed to simply stealing resources from them like other malware.  This kind of destructive behavior is reminiscent of that from file infecting viruses back in the DOS era.

If you were infected by the Sality virus, I strongly recommend contacting ESET’s technical support department for assistance, as they have the skills and the expertise to help you make your system malware-free.  If you would like to remove it yourself, be sure to read ESET Knowledgebase Article #3146, “How do I remove Sality or Virut Malware” for further information on removing this virus.

Physician, Heal Thyself

Another question that you are probably asking yourself is why don’t anti-malware programs get infected more often?  Back when file-infecting viruses were the norm, rather than the exception, this  used to be a more common occurrence:  A DOS-based anti-virus program would get infected by a computer virus, and then go on to spread the virus it was infected with to each file as it opened it to scan them for viruses.  As a result of this, anti-virus developers began to develop sophisticated anti-tamper mechanisms and build them into their software to ensure this behavior.  Modern anti-malware programs contain similar technologies, but the relative lack of file-infectors means most users will never see a warning that their security software has been modified by a computer virus.

In the case of ComboFix, the infection did not occur from a copy being passed around through countless hands, but at the source of the program.  Since Righard Zwienenberg covered that already in his blog post here, I am not going to go into further detail, except to note that a combination of factors was involved, including the developer working with faulty hardware.

Defense in Depth

No matter how careful you are, no matter what policies and procedures you have in place, accidents can and do happen.   That’s why anti-malware companies spend a lot of time and money developing the policies and procedures under which their anti-malware research goes on, especially the parts that involve working with malware.  While I am not going to provide an exhaustive list of the activities anti-malware companies take, I’d like to give you a few examples:

  • Networks handling malware are air-gapped and physically and logically separate from their others.
  • Cable and keystone jack colorings are different than those used elsewhere in the enterprise to prevent accidental connections (and they are prominently labeled as well, for color-blind employees)
  • Using different brands of networking  gear, storage and servers are used on the malware-positive pathways in the organization with different configurations and rulesets than elsewhere in the company  This helps ensure there are no failure modes in common to equipment across networks.
  • Logs are examined in multiple ways to looking for unusual network behavior, including differences in behavior over time.
  • Different hardware for malware analysts, again, this might mean different models or even brands of computers than the corporate standard.  This helps reinforce separation of the malware-positive and malware-negative pathways for the malware analyst.
  • Different operating system and software configuration for malware analysts.  Analysts run as low-privileged users, with changes in how files are viewed, opened and executed on their systems.
  • Disabling of unused mass storage interfaces (USB, FireWire, eSATA and so forth)
  • Encryption is used throughout the environment and multi-factor authentication required at multiple locations (besides ingress/egress) to help compartmentalize malware flow.
  • Physical isolation of malware research labs.
  • The creation of policies and procedures on how to use the lab safely, training and periodic reviews to ensure analysts stay up-to-date.

Those are just a few of the things a company that makes tools to fight malware does to protect itself and its customers when creating anti-malware software.   As you might imagine, having different equipment, operating systems, policies and procedures increases costs because you are now increasing the number of vendors you deal with while decreasing the amount of total purchases with each one, but that is a essentially an operating cost for this type of work.

It is important to keep in mind, though, that what matters most is not all of the equipment and techniques used to “quarantine” the handlers of malware within the organization, but rather inculcating the proper behavior for handling malware within the organization.  And this can be done at any anti-malware company, regardless of scale.

A Retrospective Test Passed

As for the ComboFix team, they solved the issue and I am quite happy with the speed of their response, and the transparency with which it occurred.  It takes years of experience to come up the types of the policies and procedures to deal with such things, no matter how hypothetical they may seem.  The people behind ComboFix have been delivering a valuable—and, I might add, uninfected—program to the community free-of-charge for years now, in addition to providing expert guidance in removing all forms of malware.  I expect that to continue for many years into the future, or as long as there is malware to be fought.

 

Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher