Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:46 PM
Dark Reading
Dark Reading
Products and Releases

PandaLabs Warns Computer Users of Sality.AO Virus

Virus combines dangerous infection techniques of old viruses with new, financially motivated malware schemes

GLENDALE, Calif., Feb. 18, 2009 " PandaLabs, Panda Security's malware analysis and detection laboratory, discovered a significant increase in the number of computers infected with the Sality.AO virus and is advising computer users to be cautious of this virus. Sality.AO combines the features of traditional viruses (infecting files and damaging as many computers as possible to achieve notoriety for creators) with the objectives of new malware, such as generating financial returns for cyber-criminals. PandaLabs has also discovered new variants of this type of malware.

Sality.AO uses some techniques that have not been seen for years, such as EPO (http://bit.ly/PPvtA) and Cavity (http://bit.ly/HqWUP). EPO and Cavity are far more complex than automatic malware creation tools and require greater skill and knowledge of malicious code programming. These techniques make it more difficult to detect and disinfect due to the complicated modifications to the original file that are done in order to make the infection. EPO allows part of a legitimate file to be run before infection starts, making it difficult to detect the malware. Cavity involves inserting the virus code in blank spaces within the legitimate file's code, making it both more difficult to locate and to disinfect.

In addition to these techniques that have been seen in early malware, Sality.AO includes a series of features associated with new malware schemes. The first feature is its ability to connect to IRC channels to receive remote commands, potentially turning the infected computer into a zombie. Such zombie computers can be used for sending spam, distributing malware, denial of service attacks, and more.

The second new scheme associated with Sality.AO is that infections are not just restricted to files, as was the case with old viruses, but also look to propagate across the Internet. To this end, it uses an iFrame to infect PHP, ASP and .HTML files on the computer. The result is that when any of these files are run, the browser is redirected, without the user's knowledge, to a malicious page that launches an exploit against a computer in order to download more malware. What's more, if any of the infected files are posted on a Web page, any user downloading the files or visiting the Web pages will become infected. The file downloaded through this technique is what PandaLabs refers to as hybrid malware, as it combines the functions of Trojans and viruses. The Trojan, in addition, has features for downloading other strains of malware to the computer. The URLs used by this downloader were still not operative at the time of the PandaLabs analysis, but they could become active as the number of infected computers increases.

"As we forecasted in our annual report, the distribution of classic malicious code such as viruses will be a major trend in 2009," said Luis Corrons, Technical Director of PandaLabs. "The use of increasingly sophisticated detection technologies like Panda Security's Collective Intelligence, capable of detecting even low-level attacks and the newest malware techniques, will make cyber-crooks turn to old codes that they are adapting to meet new needs. Viruses won't be designed simply to spread or damage computers, as they were 10 years ago, but will be manufactured to hide Trojans or turn computers into zombies."

For more information go to the PandaLabs blog at: http://bit.ly/1pFKj.

About PandaLabs Since 1990, its mission has been to detect and eliminate new threats as rapidly as possible to offer our clients maximum security. To do so, PandaLabs has an innovative automated system that analyzes and classifies thousands of new samples a day and returns automatic verdicts (malware or goodware). This system is the basis of collective intelligence, Panda Security's new security model which can even detect malware that has evaded other security solutions. Currently, 94 percent of malware detected by PandaLabs is analyzed through this system of collective intelligence. This is complemented through the work of several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. This translates into more secure, simpler and more resource-friendly solutions for clients. More information is available in the PandaLabs blog: http://www.pandalabs.com and the Panda Security website: www.pandasecurity.com/usa.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-13
The package studio-42/elfinder before 2.1.58 are vulnerable to Remote Code Execution (RCE) via execution of PHP code in a .phar file. NOTE: This only applies if the server parses .phar files as PHP.
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.