Thursday, March 18, 2010

Reversing Sality - Dirty way ;)

Sality virus has been a mess as it has the ability to infect PE files. When this particular virus infects the machine it will infect all the EXE's in the machine with it. More about the virus here.

There may be many variants of Sality virus but the one which am reversing is picked up by McAfee as Sality.gen.

Alright, back in my home I got one of my EXE infected with Sality and I was very keen to reverse and find what this is capable of. I've not managed to completely get hold of what this virus does, but this post will portray my findings on this virus.

Basically when your PE file gets infected it's hard (atleast for me) to run through and reach the portion of the code where the virus resides. Just to make things quick I ran the virus infected file so that all the code resides in the memory (we can dump them later ;) ). Then I have LordPE to dump the contents of that infected file from memory to the disk. BTW the infected file which I'm running is sality.exe and am completely dumping the memory portion of that process to the disk.


Now we have the complete dump of that process (both legitimate and virus code) on the disk. Now we load the dumped process into HEXEDITOR and we start ripping apart the infected code. As everyone of us know that an EXE begins with a MAGIC NUMBER 4D 5A (MZ) we search for the same in the dumped process. After certain false positives we hit the right area :D another EXE inside our legitimate program.

This was found at the end of our infected PE file. Hence Sality.gen virus writes itself to the end of the PE file. We rip the code and put them in HEXEDITOR and save the code with an .EXE extension.

After saving the ripped code we analyze it further to see whether it is packed. No surprises! yes it is packed with UPX.

Next we unpack this using UPX. It also can be done using OLLY DEBUGGER but this is much easier compared to that.

After unpacking the file we run the popular "STRINGS" command against the file to check if we can find something interesting. Not surprisingly we find HTTP sites this virus downloads additional malwares from. I'm just disclosing some of them not all!

After which when we dig further we find more interesting thing of the services that this virus tends to terminate as listed in the site which was indicated earlier.

And more interestingly it adds itself to the list of "AUTHORIZED PROGRAMS" in the registry. Like all classic viruses this also disables the "TASK MANAGER" and the "REGISTRY TOOLS". Sality.gen even disables the FIREWALL.

And may be these entries reveals the virus will infect those files with EXTENTION .pif, .exe, .cmd? It also creates mutex so only one instance of it is running all the time. It also creates an UDP port - May be for getting commands?

This post only gives an idea of what Sality.gen is capable of. I've not listed the complete features of it - Will save that for another post ;) - binaryhaX0r

No comments:

Post a Comment