Sality.AO is a virus that combines the features of traditional viruses (infecting files and damaging as many computers as possible to achieve notoriety for creators) with the objectives of new malware, i.e. generating financial returns for cyber-criminals.
Sality.AO uses some techniques which haven’t been seen for years, such as EPO or Cavity. These techniques relate to the way in which the original file is modified in order to infect it, making it more difficult to detect these changes and to disinfect it. EPO allows part of a legitimate file to be run before infection starts, making it difficult to detect the malware. Cavity involves inserting the virus code in blank spaces within the legitimate file’s code, making it both more difficult to locate and to disinfect infected files.
These techniques are far more complex than those that can be achieved with automatic malware creation tools, which have been responsible for much of the increase in the number of threats in circulation recently. They require much greater skill and knowledge of malicious code programming.
In addition to these techniques related with early malware, Sality.AO includes a series of features associated with new malware trends, such as the possibility to connect to IRC channels to receive remote commands, potentially turning the infected computer into a zombie. Such zombie computers can be used for sending spam, distributing malware, denial of service attacks, etc.
Similarly, infections are not just restricted to files, as was the case with old viruses, but also look to propagate across the Internet, in line with new trends. To this end, it uses an iFrame to infect PHP, ASP and .HTML files on the computer. The result is that when any of these files are run the browser is redirected, without the user’s knowledge, to a malicious page that launches an exploit against a computer in order to download more malware.
But that is not all. If any of the infected files are posted on a Web page -and bear in mind these file types are typically uploaded to the Web-, any users downloading the files or visiting the Web pages will become infected.