Do-it-yourself Plan to Take Down Sality Botnet Outlined on Public Mailing List

A method that anyone can use to hijack a massive multipurpose botnet called Sality was described in detail on a public mailing list on Tuesday.

Sality is a file-infecting virus that has been around for more than nine years. More than 100,000 computers are infected with the malware and form a large peer-to-peer botnet used for various cybercriminal activities.

An individual using the moniker "A Law Abiding Citizen" described how the Sality botnet can be destroyed or hijacked in an email sent to the Full Disclosure mailing list that was sarcastically titled "Please do not take down the Sality botnet."

The email's author linked to a Python script that can be used to determine the update URLs queried by the botnet and suggested that a Sality removal utility developed by antivirus firm AVG could be hosted on one of them to be downloaded and executed by the infected computers.

Sality updates are usually hosted on compromised websites, so in order to replace them with the removal utility, someone would have to hack into those websites, like the Sality creators did, or persuade their owners to willingly host the tool.

Technically speaking, there is a chance that the plan may work, although the result would be unpredictable because each computer can have software and hardware particularities that come into play when the botnet is instructed to do something, said Vikram Thakur, principal manager at Symantec Security Response.

Furthermore, forcing the botnet clients to download and execute the removal tool is illegal because it involves modifying software on other people's computers without their authorization. "Legally and ethically speaking, the takedown plan is a definite 'no,'" Thakur said.

Therefore, the public availability of these takedown instructions is more likely to help other cybercriminals who wish to hijack the botnet rather than legitimate security researchers interested in disabling it.

Cybercriminals are probably already trying to use the information in the email to their advantage, Thakur said. However, Symantec hasn't seen any changes in the botnet since the takedown plan was posted online.

There's one step required for the plan to work that hasn't been fully revealed by the email's author: In order for the botnet clients to actually download and execute updates, the files need to be encrypted in a certain way.

"I am not providing details on how to create a properly encrypted executable, although I imagine some either already know or will quickly figure it out," the anonymous poster said.

However, he promised to release more details about Sality if and when the botnet is shut down. "It is unfortunate that I am unable to do so now due to these legal issues, but, as I'm sure you all know, it is more important to respect the law than to fix anything," he said in a sarcastic note.

Subscribe to the Security Watch Newsletter

Comments