Fact-checked by Grok 2 weeks ago

Sality

Sality is a persistent of file-infecting computer viruses primarily targeting Windows files (), which it modifies by appending or inserting malicious to propagate itself across local drives, shared resources, and . First discovered in , Sality has evolved through numerous , incorporating advanced evasion techniques such as polymorphic changes to avoid antivirus detection, and establishing a decentralized () among infected hosts for command-and-control (C2) communication and malware updates. Key functionalities of Sality include downloading additional payloads, such as , keyloggers, or stealers, and engaging in theft, including and capturing cached passwords from browsers and applications. The malware disables security features on infected systems, like Windows Defender and firewall services, to maintain persistence and facilitate further infections. Its P2P architecture, which relies on supernodes formed by heavily infected machines, enables resilient distribution of updates and binaries without centralized servers, making takedown efforts challenging. Attribution points to an eCrime group known as , believed to operate from Russia's of , which has leveraged Sality for financial through botnet and since the malware's in 2003. Despite mitigation efforts by cybersecurity firms, Sality remains a prevalent as of 2025, with a resurgence in 2024 and ongoing variants detected in the wild, underscoring its adaptability and long-term impact on global cybersecurity.

History and Discovery

Initial Discovery

Sality was first publicly documented in by security researchers, marking its as a threat. Kaspersky Lab reported detecting the virus shortly thereafter in , classifying it within their threat database as an infectious agent targeting Windows systems. In its debut form, Sality functioned as a basic file-infector aimed at Windows Portable Executable (PE) files, especially those with the .EXE extension. The malware prepended its UPX-compressed code to host files, altering their structure without initially employing sophisticated evasion methods. Its payload featured rudimentary data theft capabilities, including a keylogger component that captured passwords from the Windows registry and dial-up configurations, which were then transmitted to attacker-controlled Russian SMTP servers. The virus's early dissemination centered in Eastern Europe, with Russia as a primary hotspot, facilitated by the sharing of infected executables across network drives and through downloads from compromised or unverified sources. Initial antivirus signatures identified variants under names like Virus.Win32.Sality.A, highlighting its classification as a parasitic Windows virus from the outset.

Evolution of Variants

Sality's evolution began with early variants that enhanced its propagation capabilities. Between and , updates introduced worm-like features, allowing the malware to replicate across network shares in addition to file infection. Variants such as , detected around December 2006, incorporated these mechanisms alongside entry point obscuration techniques to complicate detection. Subsequent iterations like Sality.C further refined these propagation methods, enabling broader spread on local and shared drives. By 2010, Sality underwent a significant shift with the integration of (P2P) functionality for command-and-control operations, marking the of versions 3 and 4. These versions, active since approximately 2009, allowed infected systems to form decentralized resistant to traditional takedown efforts; communications within the P2P utilized digitally signed files and commands to prevent tampering. capabilities were also incorporated around this period, kernel-level persistence and hiding from tools. From 2015 to 2020, developers enhanced evasion tactics with advanced modules refined for deeper , maintaining Sality's amid evolving antivirus measures. Sality experienced a resurgence in 2022, with campaigns targeting systems (ICS) through tainted recovery tools for programmable logic controllers. Activity persisted into 2024, as evidenced by ongoing tracking of variants in cybersecurity analyses. By the first half of 2025, Sality remained a notable threat in malware landscapes, contributing to botnet operations. Key to Sality's longevity are its continuous polymorphism, which mutates code to evade detection, and the decentralized P2P structure, which has thwarted complete botnet disruptions.

Technical Overview

Aliases and Family Classification

Sality is known by several primary aliases in cybersecurity literature and detection databases, including Virus.Win32/Sality, W32/Sality, SalLoad, Kookoo, SaliCode, and Kukacka. These names reflect variations in how different security vendors and researchers have labeled the threat based on its behaviors and code characteristics. The is classified as a polymorphic file-infector that incorporates worm-like and functionalities, it to form resilient peer-to-peer (P2P) botnets for command-and-control operations. This places Sality within broader malware taxonomies as botnet-enabling software, often associated with eCrime for tasks like and . Sality encompasses numerous , with antivirus firms documenting over 100 distinct strains such as Sality.AT, Sality.AM, and Sality., distinguished by subtle modifications and differences. These are broadly grouped into families corresponding to 3.x (active since around ) and 4.x, which emphasize decentralized communication to evade takedowns. Detection signatures vary by but consistently the family's patterns. employs the Virus:Win32/Sality.*, capturing a wide of . identifies it as W32.Sality, focusing on its file-modifying and behaviors. Kaspersky uses Virus.Win32.Sality for its polymorphic targeting.

Core Infection Mechanisms

Sality employs a to mutate its code during , incorporating and the insertion of junk instructions to evade signature-based antivirus detection. This , such as the "Simple Poly Engine v1.1a," generates variable decryption stubs that append the to the end of the host file's last , ensuring the original file remains largely intact while altering the malware's across . To obscure its and avoid detection through file integrity checks, Sality uses entry-point obscuring (EPO) techniques that preserve the host's original entry-point address. Instead of directly overwriting the , it inserts a polymorphic —often an obfuscated , such as a "jmp reg" redirected via —that executes the before seamlessly transferring back to the legitimate , maintaining host functionality. Upon execution, Sality initiates by injecting its into running processes, excluding those under accounts, and using mutexes like "uxJLpe1m" to prevent concurrent . It drops a malicious DLL, such as wmdrtc32.dll, into the %% directory and injects it into for immediate execution, while also loading a kernel-mode like amsint32.sys into %%\drivers to establish deeper . Registry modifications follow, including entries in HKLM\Software[Microsoft](/page/Microsoft)\Windows\CurrentVersion\Run to autorun the DLL on startup and alterations to HKLM[SYSTEM](/page/System)\CurrentControlSet[Control](/page/Control)\SafeBoot to ensure loading even in safe mode. Later variants of Sality incorporate capabilities to hide its presence and activities on the host. The amsint32 performs SSDT (System Service Descriptor ) hooking, intercepting calls like NtTerminateProcess to terminate antivirus processes and conceal malicious files or running instances from system queries. This also creates a device named \Device\amsint32 for kernel-level communication, file and process hiding while filtering traffic to block access to security vendor domains. Sality primarily targets executable files with .EXE and .SCR extensions, infecting them by appending its polymorphic to the last section or, in some cases, overwriting sections while preserving the host's operational integrity. It avoids infecting files associated with security software by overwriting them with harmless byte sequences like "CC C3 CC C3" to neutralize threats without full propagation.

Propagation Strategies

File Infection Process

Sality targets executable files on local drives, primarily scanning starting from the C: drive and traversing all available disk drives except CD-ROMs. It searches for files with .EXE or .SCR extensions that fall within a size range of approximately 512 bytes to 40 MB, excluding protected system files via checks like the SfcIsFileProtected API to avoid detection or disruption. The scanning process is multi-threaded, using APIs such as FindFirstFileA and FindNextFileA to traverse folders alphabetically from the root directory, ensuring efficient coverage of the file system while one thread handles the infection routine. Upon identifying a suitable non-infected target, Sality appends an encrypted viral body—typically around 70 in size—to the end of the host file. It then modifies the (PE) header, adjusting the last section's characteristics to include executable, readable, and writable permissions, while updating fields like VirtualSize and SizeOfRawData to accommodate the addition. To redirect execution, the virus employs entry-point obscuring (EPO) techniques, inserting a jump in the host's code that leads to a decryptor routine in the appended section; this decryptor unpacks the viral code and transfers control back to the original entry point, allowing the infected file to function normally. This polymorphic approach, where the viral code mutates with each infection, enhances stealth by varying the decryptor and insertion points. For self-protection, Sality marks infected files with specific indicators, such as setting a non-zero value in the 'NumberOfLineNumbers' field (at 0x22 in the section header) and zeroing the (at 0x58 in the header), preventing re-infection during subsequent scans. These markers allow the virus to quickly skip already compromised files, optimizing its propagation within the system. Infected hosts preserve original file timestamps and attributes to evade suspicion, though the added code can increase file size noticeably and potentially degrade due to the overhead of decryption and execution redirection. Early variants of Sality relied on straightforward appending methods with basic PE modifications for infection. Later variants introduced more advanced stealth measures, such as cave insertion—exploiting unused spaces (caves) within the PE file structure—and enhanced EPO to obscure the jump to viral code, making detection by signature-based tools more challenging. These evolutions reflect Sality's ongoing adaptation to antivirus countermeasures while maintaining its core file-infection strategy.

Network and Removable Media Spread

Sality propagates via removable media by copying itself to USB drives and other external storage devices, disguising the malicious payload as seemingly innocuous files such as those with .exe, .pif, or .cmd extensions, often mimicking legitimate applications like Windows Calculator or Minesweeper with randomized names. To facilitate automatic execution upon insertion of the drive into another system, it creates or modifies an autorun.inf file in the root directory, which points to the infected file and triggers its launch without user intervention. For network-based spread, Sality enumerates accessible network resources, including mapped drives and SMB shares, to identify potential targets for infection. It then attempts to copy infected files to these locations for subsequent execution on remote systems. To evade detection during this process, Sality implements rate limiting by introducing delays between propagation attempts, which reduces network anomalies that might alert security tools. In variants observed since 2022, Sality has adopted tactics tailored to industrial control systems (ICS), bundling its payload with legitimate-appearing password-cracking tools designed for programmable logic controllers (PLCs) and human-machine interfaces (HMIs) from vendors like Automation Direct, Siemens, and Mitsubishi. These tools, promoted via social media ads targeting industrial engineers, exploit serial or Ethernet connections to extract device passwords while simultaneously deploying Sality, which then spreads further through the ICS environment via network shares and removable media, potentially compromising operational technology assets. This approach enhances initial infection rates in air-gapped or segmented ICS networks by exploiting trust in utility software. These propagation strategies continue to be observed in active variants as of 2025.

Payload and Capabilities

Immediate System Modifications

Upon execution, Sality initiates security evasion measures by terminating active antivirus and -related processes to prevent detection and removal. It targets processes such as avp.exe (Kaspersky), (), mcafee.exe (), and nod32.exe (), among others like AVPM, A2GUARD, and ALG, using a dedicated for forceful termination. Additionally, it deletes or overwrites antivirus database files, including those with extensions like .vdb, .avc, and .qdb, to impair scanning capabilities and hinder . Sality further compromises system integrity through targeted registry alterations that disable critical Windows services and security features. It modifies keys under HKLM\SYSTEM\CurrentControlSet\Services to stop or disable services such as Windows Defender and Task Scheduler, while also deleting entries like HKLM\System\CurrentControlSet\Control\Safeboot to prevent safe mode booting. Other changes include setting values to block access to tools like Task Manager and Registry Editor (e.g., HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr=1) and suppressing antivirus notifications (e.g., HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify=1). These alterations collectively lower the system's defensive posture by neutralizing built-in protections. To maintain stealth and persistence, Sality performs file system modifications that disrupt forensic recovery and operational safeguards. It deletes temporary executable files in user directories (e.g., %User Temp%.exe) and overwrites security-related files with patterns like "CC C3 CC C3 CC C3 CC C3" to render them unusable. The malware also injects obfuscated code into running processes, including explorer.exe, using mutexes (e.g., "M__") to avoid multiple instances, thereby embedding itself in legitimate system operations without creating new suspicious executables. Variant evolution influences the scope of these modifications, with earlier versions emphasizing antivirus neutralization. Pre-2010 variants, such as those from 2006 (e.g., v3.09), primarily focus on process termination and basic service disruption using hardcoded security targets. Post-2010 variants, including V4 implementations from late 2010 onward, expand evasion by explicitly disabling firewalls (e.g., via registry changes to settings) and incorporating advanced rootkit-like behaviors for deeper system integration.

Botnet and Advanced Functions

Sality employs a decentralized (P2P) that eliminates reliance on central command-and-control (C2) servers, resilient communication among infected hosts. The network operates as an unstructured, pull-based system where bots periodically exchange information with peers to propagate commands and updates. This design allows the botnet to distribute tasks such as malware updates without a single point of failure, enhancing its against efforts. Bots connect to the network using a primarily over for efficient signaling and peer , with introduced in later for secure file exchanges on ports offset from the port (e.g., port + 19). Upon , a joins the network via a bootstrap list of known peers, up to 1,000 entries, and participates in gossip-based message propagation to share tasks and maintain connectivity. This peer-to-peer coordination enables distributed operations, where individual bots relay commands received from other nodes acting as implicit C2 points. The botnet supports several advanced malicious functions coordinated through the structure. Infected systems can serve as spam relays, distributing campaigns as directed by peer-exchanged commands. theft modules capture , including FTP passwords stored on the system, facilitating unauthorized to remote services. Additionally, bots participate in distributed denial-of-service (DDoS) attacks, leveraging the network's to overwhelm targets with traffic from multiple compromised hosts. A component is the downloader , which retrieves URLs for additional from P2P peers and executes them, such as or other payloads like Win32/RBrute . For , bots sensitive —including browser-stored credentials and —and transmit it to designated peers, often every two minutes, to further . Transmissions are secured using digital signatures, with RSA-1024 in version 3.x and RSA-2048 in version 4.x, ensuring only verified modules are processed. At its peak, the Sality botnet encompassed over one million infected nodes, with version 3.x exhibiting the largest footprint of approximately 912,000 active systems based on global sensor data. Version 3.x, introduced around 2008, relied on unsigned URL packs vulnerable to manipulation, while version 4.x, released in late 2010, incorporated signed binaries for executables to establish trust and mitigate such exploits. This evolution maintained the botnet's operational scale into the mid-2010s, with over 115,000 super peers identified in analyses. As of 2025, Sality continues to leverage these capabilities, with a noted resurgence in activity for distributing additional malware and maintaining botnet operations.

Detection and Mitigation

Identification Techniques

Signature-based detection of Sality primarily employs heuristics to identify polymorphic stubs, such as decryption routines in infected executables, to the malware's code obfuscation techniques that alter signatures across variants. Antivirus solutions like for and infections under names such as Virus:Win32/Sality or its variants, leveraging against known viral code structures despite mutations. Similarly, Kaspersky products detect Sality as Virus.Win32.Sality in various forms, incorporating to counter the malware's obscuration (EPO) methods that hide its presence in files. Behavioral indicators provide clues for identifying Sality , including unusual modifications to files on , network-shared, or removable drives, where the prepends or appends polymorphic to .EXE and .SCR files. Systems may exhibit disabled security services, such as terminated antivirus processes or altered firewall settings to permit outbound connections, alongside elevated network activity like high volumes of UDP traffic to random ports for peer-to-peer (P2P) botnet coordination. These patterns, including attempts to steal sensitive or additional payloads, distinguish Sality from benign operations. Practical tools in confirming Sality presence through targeted scans, such as bootable disks that operate outside the infected OS to evade rootkit hiding ; for instance, the Kaspersky Rescue Disk performs offline malware scans capable of identifying Sality variants by bypassing active system modifications. Network monitoring with tools like can reveal anomalous P2P , characterized by Sality's UDP-based communication mimicking but deviating from protocols like those in BitTorrent. Advanced detection techniques include rules designed to match hooks implemented in later Sality variants, which conceal files, processes, and registry entries to maintain persistence. Additionally, models analyze file anomalies, where Sality's polymorphic results in unusually high scores compared to legitimate executables, enabling proactive identification of obfuscated infections. Detecting Sality poses challenges stemming from its polymorphism, necessitating generic and behavioral approaches over rigid signatures to capture evolving variants. Furthermore, behavioral risks false positives from legitimate P2P applications generating similar UDP traffic patterns, requiring contextual to differentiate malicious activity.

Removal and Recovery Steps

Removing Sality infections requires booting into to avoid interference from the malware's components and persistence mechanisms. Users should start by creating a bootable USB with a trusted environment, such as or a Linux live distribution like Ubuntu, to isolate the system from the infected OS. Once booted, perform a full antivirus scan using offline tools like ESET SysRescue or Malwarebytes, which can detect and quarantine infected executable files across all drives. For automated assistance, deploy specialized fix tools such as Trend Micro's removal utility, which involves downloading the tool, extracting it to a temporary directory, and executing the batch file to clean the system before rebooting. To handle Sality's persistence, target its embedded components in the registry and using comprehensive scanning tools. For variants, delete suspicious DLL files such as wmdrtc32.dll and wmdrtc32.dl_ if present in the %System% directory, but note that recent variants load components in memory without disk writes, requiring scanning and termination via tools like Autoruns from . Remove associated registry keys that vary by variant, such as those under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00*\Services\amsint32 or HKEY_CURRENT_USER\Software\Qurdk for specific infections, via regedit.exe or Autoruns to identify and disable malicious startup entries. Additionally, for and eliminate files on fixed and removable drives to prevent reactivation. After cleanup, re-enable disabled security services, such as Windows Defender, by restoring them through the Services console or registry backups if available. Network cleanup is essential to isolate the infection and prevent reinfection. Disconnect the system from any network shares or the immediately to block callbacks, then all connected removable media (e.g., USB drives) using the same offline tools to remove any propagated copies. Monitor outbound post-removal with software to detect any residual command-and-control communications, and apply firewall rules to block known Sality domains if during scanning. For recovery, severe infections—particularly those involving widespread file corruption—warrant a full system reformat and clean reinstallation of the operating system to ensure complete eradication, followed by immediate updates to all software and antivirus definitions. In less critical cases, restore from clean backups after verification, and enable features like USB autorun blocking and behavior monitoring to prevent future incidents. Recent Sality activity includes a targeting systems (), where the was distributed via legitimate-appearing tools for programmable controllers (PLCs) from vendors like and , exploiting vulnerabilities to inject the and expand the . This evolution was linked to the SALTY SPIDER eCrime group, a Russian-based actor operating the Sality since at least , with a major resurgence in leading to top-tier in H1 2025 analyses.