It’s been an interesting couple of days, by which I mean bad. After almost ten years of working as a technician including for both the University of Wisconsin and now here in Amman, I was (almost) beaten down by a virus. A particularly nasty one.
When I taught my class, I would always teach my students about one virus in particular, the one named after a particularly nasty nuclear reactor explosion, the W32/Chernobyl virus which could actually eat into your computer’s BIOS and then tell it to overwrite itself into blankness. Unless you happened to have a BIOS flash programmer and the wherewithal to undo the solder joints holding the BIOS chip in place…this usually meant a completely fried motherboard, resulting in a new purchase. How many other viruses have you heard of that can actually physically damage computers? Not too many.
The one that has now merrily written itself all over my laptop’s hard drive is called the W32/Sality, variant AQ or AN, depending on which vendor you ask (in fact, it may even be something entirely new, which I’ll get to later). The Sality is one of the infamous types known as “Patching Viruses,” and their methods of spreading and eluding deletion are diabolical. Basically, a patching virus does exactly what it sounds like. When you hear of someone “patching” their own computer, it usually means with updates, like Windows Update, which overwrites or updates program and system files with newer, better versions. Sality does the same, except replace “better” with “evil.” It is able to actually insert its own viral code into a program’s .EXE file, which is how 99% of standard Windows applications start themselves up. Does this sound familiar? Once the program, any program’s .EXE file is affected, like Firefox.exe or Mspaint.exe, the sality writes itself into the last section of the .EXE file’s code and runs itself whenever that .EXE is run. Since almost every application, including antivirus systems, on a Windows computer is made of EXE files, this can be a problem.
To put it bluntly, there is 100% no way to remove this virus from within Windows. It’s impossible. Every time you try to scan it, it will merely eat your scanner and turn it into an infected virus-loader. The only possible chance to fight it is to use a program which can “disinfect” these viruses, but it has to be outside of the normal Windows operating system, preferably in a Linux boot CD that is immune to .EXE harvesting. I’ve always generically titled these systems “Alternative Boot Environments” or A.B.E. – or just ABE, for short (patent pending). Dr Web’s cleaner boot CD is particularly good ABE for evading .EXE patching. You have to be careful not to use a ham-fisted antivirus program that merely deletes everything it finds as a virus, because that would now mean deleting every program on your computer and somewhere a virus-writer would cackle with glee.
So how did this happen to a guy like me, with a decade of experience in the field? Well, I’ll be completely honest and tell you that I haven’t used antivirus programs in years on my personal computers, desktops or laptops. Don’t get me wrong; in my years at DoIT in Madison and working as a consultant, I have always been extremely diligent in making sure that computers are protected. But I always figured that antivirus programs are for people who make bad decisions and let their computers get infected.
And guess what? I’m still right…that’s exactly who they’re for. But this virus, Sality, outsmarted me for a split-second and that was all it took. I was down in Ayn al Basha doing some work on some photos for the Entity Green Training website with Lillie. I had made a shared folder on my laptop for her, named “Lillie” and we were passing around photos that needed to be re-sized for web use. I noticed a strange folder on my computer I didn’t remember making there, and figured that since she had write access to my computer’s shared folders, she had just made it. I didn’t notice until a second after I double-clicked it that the folder “icon” was a pixelated application icon, shaped like a Windows folder, and even more foolishly, that it was named Lillie.exe…not “Lillie” like a folder should be. I’m lucky that I had the “show file extensions” enabled on my computer – I still think that Microsoft disabling those by default is the dumbest thing in their history as software writers – otherwise, there would have been almost no way to visibly recognize this as a virus. It would have merely said “Lillie” and looked like a folder.
Seconds after I double-clicked that fateful file, my computer immediately betrayed signs that it was going into action. The hard drive spun up over my knee, the CPU usage shot up, and everything briefly slowed. Before I even drew my next breath I knew what I’d done and probably filled the air with a few expletives. It was too late by now, of course. The Sality had taken my computer, and now it was going to be a fight to the death, between the virus and my operating system. As many as 5/6 Sality infections result in the user or technician giving up and reformatting the computer. Literally, this was going to be a fight to the death – either I’d remove the virus, or the operating system would be erased to take it out.
Let’s go over the symptoms that have made me respect this fearful beast below:
- Deletion of Safe Mode: As any technician knows, safe mode is the first tool against a virus; a safe(r) haven against auto-loading .exe files and lesser programs. The first thing Sality did was delete the following registry entries: HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot and HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot. These two keys control the computer’s ability to use safe mode, and with those deleted, my computer promptly blue screened with the generic 0x0000007B error whenever I tried to restart and get into safe mode.
Resolution: utilizing the system.bak registry backups in an ABE to find the safeboot keys specific to Windows XP service pack 3 in the Dr. Web external operating system, and then exporting/reloading them into the main registry files again. - IP filterdriver Monitoring and Filtering: Of course, one of the first thing any user would do after infecting themselves is search the internet for how to fix everything. Sality’s got you covered there; it injects itself into the “ipfilterdriver” service and then actively scans IP traffic from all network connections, searching for any keywords of itself or antivirus tools. If you search any search engine or try to load any page that contains these keywords, Sality knows. It doesn’t block them outright, merely causing “page loading” messages to last forever.
NOTE: This is much different then the old-fashioned virus trick from the early 21st century; filling your HOSTS file with antivirus websites linked to loopback address 127.0.0.1 – that’s child’s play to fix compared with this.
Resolution: as before, getting the backup copy of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\IPFilterDriver\Parameters registry key and then reloading it into the primary registry. Needless to say, we all might be a lot more screwed if later revisions of Sality are able to corrupt the .bak files that contain the backup registry hives. - Masking by “Admin” takeover: Like many modern viruses, the second thing that Sality did was try to (poorly) disguise that it had infected me. It does this by exploiting the registry yet again in the form of normal Administrator authority blocking keys, deactivating the all-important Task Manager, Registry, Folder Options, and the ability to view hidden/secret files (the latter being very related to the autorun files, which I’m mentioning next).
Resolution: This one is easy to take care of if you have an ABE to work with. All the ways to remove those simple registry-key blocks are well-documented. Sometimes you can use the DOS-based “reg.exe” instead of regedit and batch files to fix this, but when you’re dealing with a Patcher, the inescapable fact that it’s reg dot EXE obviously isn’t going to help you too much in the long run. - Disk Replication: This one isn’t so special, but of course worth nothing. Like most modern viruses, Sality takes advantage of the fact that everyone uses USB flash drives these days to transfer files…often between multiple computers. Sality also knows that any executable program on a CD-ROM or flash drive that is linked to by a file called “autorun.ini” on the root of the drive will automatically be run by your computer, therefore silently and quickly installing itself onto any computer that USB flash drive is plugged into. Sounds like a really stupid security breach, doesn’t it? Guess what, Microsoft packaged it as a feature and this is still not disabled in XP’s third service pack. For God’s sake people, disable Autorun on your computers. At Whitman, I’ve seen minor virus infections decrease by 87% since I initiated a mass Autorun deactivation last spring. Update: If the United States Government says to disable, you must not resist.
Resolution: In Linux or in ABEs, nothing is hidden, no matter what fake Windows Administors have put into my registry. I had an Ubuntu disk with me, and was able to verify that sure enough, Sality had helpfully added a few hidden and automatically-running virus files to my flash drive I was using at the time. My own computer has had Autorun disabled for years, so I couldn’t get reinfected from that, but unfortunately, Autorun disabling is still not the norm. - Network Replication: this is almost certainly how I got infected with the original Lillie.exe file. When it takes over, the third thing Sality does is search for every folder that your computer has listed as a public, network-accessible “shared” folder. Then it reads the name of each folder, and puts a copy of itself in each folder with that same name and an icon in the shape of a Windows XP folder. On an infected computer, Sality then waits for computers with publicly-writable shared folders to connect to the same network, and then does the same thing. I’m positive that’s how I got Sality in the first place; on any of the numerous networks I work on or coffee shops I’m at, any previously-infected laptop could have spawned Sality onto my computer, where it then lay dormant in my shared folders, waiting for my single moment of distraction to strike and cause all this havoc.
Resolution: Easiest one of the bunch; after Sality was finally removed, went through my network shares and removed all the bad .EXE files.
Remember how I said earlier that this is possibly an entirely new version of Sality? I say that because besides carrying out the documented attacks written above, something new and very troubling happened. When I came to work at Whitman this morning, the secretary told me that her AVG auto-block was throwing a warning whenever she visited the school’s website, whitmanacademy.org. I checked her logs; it was an HTML/iFrame takeover. AVG did its job, though, and successfully shut down the infected website’s attempt to secretly launch her to the hidden websites. I didn’t verify exactly what would happen if she had gone there for obvious reasons, but upon downloading the wordpress index.php file for Whitman’s website, I determined that sure enough, it had been infected with two auto-loading iFrames.
Here’s the scary part. Then I visited Entity Green’s website, and then this one, HeiseHeise.com. AVG in the school’s computer lab blocked both of them, with the exact same errors and iFrames to the exact same bad websites. I checked the logs from 1and1, the web host for all three websites. At approximately 10:30 the night before, all three index.php files were overwritten at the same time to the infected version.
I’ve never heard of this happening before, but here’s my theory. My FTP program, FileZilla, is very widely used, and it’s probably attracted several virus writers out there. Of course, like everything else, it’s an .EXE – Filezilla.exe. I would not be surprised if the virus had been programmed to automatically load itself into Filezilla, automatically connected to all stored FTP websites, and patch these iFrame codes into the end of each site’s index.php file.
Needless to say, I have no idea if those FTP passwords are now in the hands of the virus writers, but of course they’ve since been changed. What’s more worrisome is that a virus could even do that. Unlike everything else written above which I’ve lifted from elsewhere on the ‘net, I’ve found no known link between current variants of Sality and iFrame hijacking.
So what have I learned?
Don’t use Windows XP anymore. As I mentioned in section 5, I picked up this hitchhiker through unguarded shared folders. Windows XP only has one switch for folders: sharing is either on or off. In Vista, Microsoft introduced “network types” that are either Work, Home, or Public. Anyone who has used Vista knows the (somewhat annoying) trait of the operating system to bug you within seconds of connecting to a new wireless location – “Do you want to make this a Work, Home, or Public network location?” Guess what – that’s an important setting, because if you choose “Public” (or cancel the dialog box) then it automatically locks down every shared folder on your computer as “no write-to permitted.” On a more annoying note, non-Microsoft verified .EXE files (like Lillie.exe obviously was) are double-confirmed by Vista before they are executed, which would have given me that precious “second glance” that would have saved me. If I had been using Vista or the drool-worthy new Windows 7, this never would have occurred. So…even though I’ve fixed the problem and my computer is no longer infected, it’s still time to wave a second farewell to Windows XP (I’ve said that before) and move to the latest and greatest.
Will I run an antivirus program? With some teeth-gritting…yes. I’ll have to start doing comparisons between the different options out there, but the whole reason I stopped (my arrogance aside) is because AV programs are system crushers. Norton in particular has been long-infamous for stretching its tendrils into every part of your computer and although it does a great job of keeping your computer safe, I wouldn’t use it, or most other AV products out there just because of the speed hit your computer takes. There has always been the choice between speed and security, no matter what – and I had just picked speed until now. Perhaps I’ll give the Comodo Suite a look, provided its free, lightweight, and speedy. A final note: Mac users, you made your own unconscious choice by picking an operating system that, while secure, doesn’t support standard programming APIs like DirectX and therefore is useless for speed-gaming purposes. You’re secure, sure – but useless for my needs and wishes. So don’t bother giving me that argument.
So there you go. My observations on battle with the W32/Sality virus, variant…well, possibly new/unknown. Maybe this will help someone out there; I can only hope so. This Youtube video, while long, was definitely helpful to get me started with the always-updated Dr. Web program, which really is an excellent virus-fighting ABE.
Good luck out there, soldier.
[…] Wrestling with W32/Sality
[…] Wrestling with W32/Sality
I enjoy reading your blog, although this one was a real bummer.
You said:
“A final note: Mac users, you made your own unconscious choice by picking an operating system that, while secure, doesn
Ha ha, true – touch
Nowadays, it really is all about preference.
How awful! And I thought I had problems with my PCs when I was in undergrad. Well, there was the one time the hard drive crashed….or did that happen more than once? ^_^
I do seem to recall working with you a few times on it to replace something or another, on several different computers that joined you on your academic journey! 😀
[…] Wrestling with W32/Sality