Sality.AO uses some techniques that have not been seen for years, such as EPO (http://bit.ly/PPvtA) and Cavity (http://bit.ly/HqWUP). EPO and Cavity are far more complex than automatic malware creation tools and require greater skill and knowledge of malicious code programming. These techniques make it more difficult to detect and disinfect due to the complicated modifications to the original file that are done in order to make the infection. EPO allows part of a legitimate file to be run before infection starts, making it difficult to detect the malware. Cavity involves inserting the virus code in blank spaces within the legitimate file's code, making it both more difficult to locate and to disinfect.
In addition to these techniques that have been seen in early malware, Sality.AO includes a series of features associated with new malware schemes. The first feature is its ability to connect to IRC channels to receive remote commands, potentially turning the infected computer into a zombie. Such zombie computers can be used for sending spam, distributing malware, denial of service attacks, and more.
The second new scheme associated with Sality.AO is that infections are not just restricted to files, as was the case with old viruses, but also look to propagate across the Internet. To this end, it uses an iFrame to infect PHP, ASP and .HTML files on the computer. The result is that when any of these files are run, the browser is redirected, without the user's knowledge, to a malicious page that launches an exploit against a computer in order to download more malware. What's more, if any of the infected files are posted on a Web page, any user downloading the files or visiting the Web pages will become infected. The file downloaded through this technique is what PandaLabs refers to as hybrid malware, as it combines the functions of Trojans and viruses. The Trojan, in addition, has features for downloading other strains of malware to the computer. The URLs used by this downloader were still not operative at the time of the PandaLabs analysis, but they could become active as the number of infected computers increases.
"As we forecasted in our annual report, the distribution of classic malicious code such as viruses will be a major trend in 2009," said Luis Corrons, Technical Director of PandaLabs. "The use of increasingly sophisticated detection technologies like Panda Security's Collective Intelligence, capable of detecting even low-level attacks and the newest malware techniques, will make cyber-crooks turn to old codes that they are adapting to meet new needs. Viruses won't be designed simply to spread or damage computers, as they were 10 years ago, but will be manufactured to hide Trojans or turn computers into zombies."
For more information go to the PandaLabs blog at: http://bit.ly/1pFKj.
About PandaLabs Since 1990, its mission has been to detect and eliminate new threats as rapidly as possible to offer our clients maximum security. To do so, PandaLabs has an innovative automated system that analyzes and classifies thousands of new samples a day and returns automatic verdicts (malware or goodware). This system is the basis of collective intelligence, Panda Security's new security model which can even detect malware that has evaded other security solutions. Currently, 94 percent of malware detected by PandaLabs is analyzed through this system of collective intelligence. This is complemented through the work of several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), work 24/7 to provide global coverage. This translates into more secure, simpler and more resource-friendly solutions for clients. More information is available in the PandaLabs blog: http://www.pandalabs.com and the Panda Security website: www.pandasecurity.com/usa.