New variant of Sality

Another new variant of Sality was reported on Saturday. As was the case with previous versions of Sality (like Sailty.R), this one is also a polymorphic EPO virus which replaces the entry point code of the original file. The main virus body is attached at the end of original file and the section header is modified accordingly. It is made writable and executable and the size is also modified. Virus code offset is calculated within the code patched at control point. This code is mixed with a lot of junk instructions. Once the offset is calculated, it uses PUSH – RET or JMP instruction to jump to that offset. The initial bytes at this offset contain the loop which decrypts rest of the bytes. The loop code is obfuscated, containing unwanted garbage instructions. Once the code is decrypted, it takes control to the decrypted code using RET instruction. The original bytes at control point are found within this code. New variant of Sality uses various threads to carry out different functionalities. One of the threads keeps on infecting files. Other one move the original code to control point and passes control to that code for clean file to execute.

Feistel Network:

New variant of Sality uses a modified version of 64-bit block Feistel network with 32-bit key and 64(0x3F) iterations for decryption. Each iteration decrypts 64 bits. To decrypt first half of 64-bit code, it uses the key derived from the second half and vice-versa. The virus decrypts 0xFEE2 bytes using this algorithm.

To derive the key from 32-bit data, it performs complex operations.

It also adds the current iteration count to this value and once 0x3F iterations are complete, it adds to the key, the number of bytes already decrypted.

Once the key is generated, it uses subtract operation to decrypt the data. The virus is detected by Quick Heal as W32.Sality.U

Thanks to Omkar, Jithin and Rajesh for the analysis and writeup.