
Friday, August 27, 2010

Camouflage Viruses

You may not heard about Camouflage viruses. It is becacuse, it has never became a threat thanks to the evolution of advanced antivirus scanners. Camouflage viruses are viruses that are capable of infecting a computer by reporting it as a  harmless application to the antivirus software installed in that computer. In the less sophisticated antivirus softwares, the scanning is performed by checking the files for the virus signatures. In such cases, there is a possibility of non-infected files have codes similar to that of the virus codes (a statistical probability) will be notified to the user as virus infected files - a false alarm. This may frighten the user. To avoid this problem, the antivirus softwares implement a logic to ignore a virus signature and not issue alarm under right circumstance.
Eventhough this logic avoid the chances of false alarm, it has opened a door for the virus creators to attempt to camouflage their viruses so that they included the specific characteristics the antivirus softwares were checking for and thus have the antivirus program ignore that particular virus. Fortunately, camouflage virus never became a serious threat, but the possibility existed.
Today, the antivirus scanners are more advanced that they do much more than simply look for a virus signature string. In order to identify the specific virus varient, they not only check for the virus signature, but also even checksum the virus code to identify it. Due to the provision of these cross checks in the antivirus scanner, it would be very difficult for the virus to camouflage itself and spoof the scanner.

                     Add to Technorati Favorites                 Bookmark and Share

Sality Virus : Know more?

When I noticed that most of the visitors to my blog are searching for the remedies for infection by Sality Virus. I have already put a brief post on Sality virus at Now I think more information must be provided innorder to satisfy the visitors.  Sality is also known as W32/Kookoo-A [Sophos]. Sality was discovered in 2003 June 4. It affects the Operating Systems - Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000.

It will infect executable files on local, removable and remote shared drives. The virus also creates a peer-to-peer (P2P) botnet and receives URLs of additional files to download. It then attempts to disable security software. When it infected my system, it disabled my antivirus software (BitDefender Free Edition), and antimalware software (MalwareBytes Free Edition). It also prevent the use of the anti rootkit software Rootkit Revealer.
 Some forms of Sality virus is reported to steal the key strokes from the infected machines for malicious purposes.W32.Sality will infect executable files on local, removable and remote shared drives. It replaces the original host code at the entry point of the executable to redirect execution to the polymorphic viral code, which has been encrypted and inserted in the last section of the host file. In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for specific registry subkeys to infect the executable files that run when Windows starts. Thus infected computer is like a country under the rule of the terrorists. All the security will be paralysed leading to complete crack down of the system. Sality will also prevent the installation of the antivirus in to the infected computer.
In 2003 when it was first discovered, W32.Sality was a less complicated file infector, prepending its viral code to a host file and having back door capability and keylogging functionality. As years passed, it became more sophisticated by including additional features that aid worm-like propagation, ensure its survival, and perform maliciously damaging activities. Among these activities is the decentralized peer-to-peer network (P2P) that W32.Sality-infected computers create and populate.
As an entry-point obscuring (EPO) polymorphic file infector, the virus gains control of the host body by overwriting the file with complex and encrypted code instructions. The goal of the complex code is to make analysis more difficult for researchers to see the real purpose and functionality implemented in the code.It spreads by infecting executable files on local, removable and remote shared drives. Infected files will have their original, initial instructions overwritten by complex code instructions with the encrypted viral code body located in the last section of the file.
Downloading and executing other malware or security risks is one of the primary goals of this virus. A compromised host carries with it a list of HTTP URLs that point to resources to be downloaded, decrypted, and executed. These URLs can also point to more URLs. The encryption used is RC4 with static keys embedded in the compromised host.

Technical Details:

 In addition to infecting local and remotely shared executable files, W32.Sality will purposely search for the following registry subkeys to infect the executables associated with that subkey, including those executables that run when Windows starts:


Files Created:
 %System%\drivers\[RANDOM FILE NAME]

Registry Subkeys Created:



Registry entries deleted







HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Registry entries modified (final values given)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"[INFECTED FILE]" = "[INFECTED FILE]:*:Enabled:ipsec"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"

Process Injected:

W32.Sality will not inject into processes that belong to the system, the local service or the network service. However, it does inject complex code instructions into other processes, allowing the code to load external DLLs that are downloaded from remote servers into target processes. This virus uses a named mutex based on the injected process ID (PID) for each injection so that it avoid repeatedly injecting code into the same processes.


Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.

Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.

Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.

Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.

Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.

Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.

If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.

Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.

Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.

Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.


Since it is hard to install antivirus software in an infected system, it is better to remove it by scanning the infected computer from another computer with an antivirus software capable of detecting and removing Sality virus. Otherwise you may try manual removal which is not recommended.

                      Add to Technorati Favorites             Bookmark and Share

Thursday, August 12, 2010


You mave have heard the term patches several times while using computer. But many of the people don't know what a patch is. Now let us know what a patch is ? 
Today, there are hundreds or perhaps thousands of companies that produces softwares for different purposes. These softwares are created by brilliant people according to the specifications given by the customer or by the standards set by the firm. If the software is very large, or has lot of functions, it is generally developed by a group of software engineers by working as a team. After manufacturing the software, it has to be tested for stability and vulnerabilities before handing over to the customer. For this there is a set of tools for software testing. During testing several bugs are found out and they are rectified. After passing the software testing, the software is declared ready for use.
You know, 'to error is human'. Like that every thing that is made by humans will have certain quantity of error in it. Same is the case of the software testing. The softwares that successfully pass the software testing need not be free from vulnerability and bugs. In most cases there will be bugs. In the case of important softwares as used in banks and finantial organisations, the software is tested several times, sometimes may test in sample populations to ensure that the software is free from bugs.
If a bug or vulnerability is found in a software after given to the customer for the use, the software manufacturer releases patch for that software. The goal of the patch is to ensure the correct functioning of the software and to insure that the software is not vulnerable to viruses. A software patch would be applied to a specific program to correct an error in function where as an anti-virus patch might seek to correct specific vulnerabilities linked to the functioning of one particular virus. A security patch, on the other hand, might be designed to strengthen aspects of a machine's connection to a network or to the Internet to guard against incursions into the system from outside sources.
Service packs are groupings of other patches, usually too numerous or complex to be installed one at a time. Usually service packs are directed at repairing known issues in larger software environment like operating systems. Microsoft releases several patches for the operating systems and these pathes are installed during the update of Windows. If you are using Windows Operating System, then install latest patches by Microsoft to make your system more secure against vulnerabilities and software attacks.

                Add to Technorati Favorites                 Bookmark and Share