In the past week, TrendLabs noticed a significant growth in the number of file infectors in the wild, particularly in Latin America. A significant increase in PE_SALITY.BA cases was particularly spotted in the region. A rise in VIRUX variants, particularly PE_VIRUX.R, was also spotted at around the same time.
File infectors are not a new threat nor do they have the notoriety of much-talked-about threats like ZBOT, KOOBFACE, and FAKEAV. However, this does not make them any less of a problem, particularly for enterprise users. In addition, these attacks are growing in sophistication as well.
According to TrendLabs’ Escalation Team, previous versions of SALITY file infectors such as PE_SALITY.SA used simpler encryption techniques. In particular, they used only one layer of encryption, making analysis a simpler affair by looking at sections of the file that have only zeroes as shown in Figure 1.
However, PE_SALITY.BA has increased the complexity of its encryption routine. Analysis thus became more complicated than before. The results can be seen in the code sample shown in Figure 2.
It should also be noted that PE_SALITY.BA, like other previous SALITY variants, goes beyond merely infecting files. Not only does it disable antivirus services, it also turns off alerts that Windows normally displays if no security software currently runs on the system. It also spreads via removable drives like worms. Taken together, PE_SALITY.BA is just as destructive, if not more so, as many other more well-known malware threats.
As for PE_VIRUX.R, the most noteworthy change in its behavior is the fact that it now adds a null last section to the files it infects as shown in Figure 3.
While this does not affect the file infector’s behavior, it does complicate the routines security companies use to clean infected files.
The routines seen in PE_SALITY.BA and PE_VIRUX.R highlight the fact that all malware threats are growing in sophistication, not just more well-known threats like KOOBFACE and FAKEAV. Enterprise users should be particularly on guard, as file infectors tend to hit large companies disproportionately.
Trend Micro™ Smart Protection Network™ protects users from file infectors by detecting and preventing the download and execution of malicious files (e.g., PE_SALITY.BA and PE_VIRUX.R) on systems.