Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Please do not take down the Sality botnet
From: Jason Hellenthal <jhellenthal () dataix net>
Date: Tue, 27 Mar 2012 11:52:45 -0400


LoL its a good thing that Hush.com is also law abiding... 

On Tue, Mar 27, 2012 at 03:19:22AM +0000, lawabidingcitizen () mac hush com wrote:
Hi all,

I've spent some time over the last few days getting to know the Sality
botnet, which is estimated to have at least one million peers. It was
ranked by Symantec as the number one malicious code family in 2010 by
number of endpoint detections, and has been used to push spam, steal
passwords, crack SIP accounts, and various other nasty things.

It has come to my attention that it is not only possible but easy to
seize control of version three of the botnet, and, more importantly,
take it down. Sadly, doing so would require breaking the law. For this
reason, I have to request that nobody perform the steps I am about
describe. You can find all the files mentioned below in this archive
(password: sality):
http://www7.zippyshare.com/d/65744138/9360/byesality.zip

Firstly, you should *not* use SQL injection to exploit this site:
http://www.capesolution.com/login/login.aspx . Furthermore, you should
*not* upload an encrypted version of the AVG Sality removal utility to
/images/logo/logof.jpeg . Finally, you should *under no circumstance*
laugh maniacally as you watch a sizable botnet disintegrate before
your eyes.

Although it shouldn't matter to anyone, this URL won't stay active for
long. When the authors of Sality remove this particular URL, or if
that SQL injection turns out to be difficult to leverage, you should
definitely *not* try to replace one of these files:
http://yaylaozu.com/images/logo.gif,
http://destekegitim.com/images/logo.gif,
http://dav14gurgaon.org/images/logo.gif,
http://dersrehberi.com/images/logo.gif,
http://cisse.com.tr/images/logo.gif,
http://cbe.com.vn/images/logo.gif. You should also *never* use the
provided Python script to get an updated list of targets from the P2P
network.

Obviously this could be misused by unscrupulous individuals. For this
reason, I am not providing details on how to create a properly
encrypted executable, although I imagine some either already know or
will quickly figure it out. The payload is not malicious, but you
don't have to take my word for it. One can check it out in a VM via
the provided Sality sample by simply using fakedns and thttpd to serve
up the file to the virus, or by running/unpacking the provided
original.

Thanks for taking the time to read this. I might release more notes on
various other pieces of Sality fun if and when the botnet is shut
down, but alas, this day may never come. It is unfortunate that I am
unable to do so now due to these legal issues, but, as I'm sure you
all know, it is more important to respect the law than to fix
anything.

Sincerely,
A Law Abiding Citizen

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


-- 
;s =;

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault