Malware goes retro

Johannesburg, 19 Feb 2009

Panda Security has advised users to be on their guard against a potential attack from Sality.AO.

The virus combines the feature of traditional viruses - notoriety for the creators - with cyber criminals' new objectives of making money off the unsuspecting.

“Sality.AO uses some techniques which haven't been seen for years, such as EPO or Cavity,” says Jeremy Matthews, head of Panda Security's sub-Saharan operations.

“These techniques relate to the way in which the original file is modified in order to infect it, making it more difficult to detect these changes and to disinfect it. EPO allows part of a legitimate file to be run before infection starts, making it difficult to detect the malware. Cavity involves inserting the virus code in blank spaces within the legitimate file's code, making it both more difficult to locate and disinfect infected files.”

According to Matthews, these techniques are much more complex than those achieved with automatic malware creation tools, which he says have been largely responsible for the increase in the number of threats in circulation recently. “A higher knowledge of malicious code programming and far greater skill is needed.”

He says over and above these techniques related with early malware, the virus contains a series of features associated with new malware trends. This includes the possibility to connect to IRC channels to receive remote commands, which could potentially turn the infected computer into a zombie.

“Such zombie computers can be used for sending spam, distributing malware and denial-of-service attacks.”

In the same fashion, he says, infections are not limited to files, as was the case with old viruses, but also look to propagate across the Internet. To accomplish this, it uses an iFrame to infect PHP, ASP and .HTML files on the computer.

When any of these files are run, the browser is redirected, without the user's knowledge, to a malicious page that launches an exploit against a computer in order to download more malware.

Matthews adds that if any of the infected files are posted on a Web page, which these files typically are, any users downloading the files or surfing the Web pages will become infected.

“Panda regards files downloaded through this technique as 'hybrid malware' as it combines the functions of Trojans and viruses,” he explains. The Trojan also has downloader features for downloading other types of malware to the computer.

“The URLs used by this downloader were still not operative at the time of the Panda's analysis, but they could become active as the number of infected computers increases,” concludes Matthews.