RSA Admin

Sality Botnet Beacons Change- How to Detect It

Blog Post created by RSA Admin Employee on May 9, 2014

We previously wrote about how to detect the Sality Botnet a little over a year ago here.  The beaconing has changed a slight bit and there are additional filenames referenced, but the pattern is still pretty much the same, however, now the user-agent string no longer advertises that it is part of the sality/kuku botnet.

 

Here are some screenshots to see what this traffic looks like in Security Analytics:

 

842108421184212

In our previous post, the query length was 12.  Now it is 13.  Also, we noticed that no referer string exists, so the new detection rule, to be added to the previous published rules, would be:

filename=logo.gif, button.gif, logos.gif, main.gif && query length 13 && referer !exists

Name your rule Sality 2014 Botnet Beacon Detection and alert it to your risk.warning or other preferred alert key.

 

One other tidbit about this threat- once infected, a host has the Sality virus appended to just about all of the internal EXE and SCR filenames, especially the digitally signed ones.  Then these new malware variants, which now have a digital signature, get uploaded to the Internet to spread elsewhere.  Using this method, Sality is able to constantly change it's MD5 hash values to evade hash-based detection.  And because the new variants are signed, many older systems will not have much of an issue installing them.  However, the Anti-Virus industry does a great job at detecting Sality-infected files.

 

A PCAP of an infected host is attached to this post for testing the new rule and for demonstration purposes to see how an infected host behaves.  A VirusTotal link that shows the infector file used for the PCAP is here.  You may notice that it is only a few days old, but detection is pretty good.  And the listed domains above have also been added to the known Command and Control feed provided by FirstWatch.

 

As always, Good Luck and Happy Hunting!

Attachments

Outcomes