Spike in File Infectors Highlight Continuing Threat

In the past week, TrendLabs noticed a significant growth in the number of file infectors in the wild, particularly in Latin America. A significant increase in PE_SALITY.BA cases was particularly spotted in the region. A rise in VIRUX variants, particularly PE_VIRUX.R, was also spotted at around the same time.
File infectors are not a new threat nor do they have the notoriety of much-talked-about threats like ZBOT, KOOBFACE, and FAKEAV. However, this does not make them any less of a problem, particularly for enterprise users. In addition, these attacks are growing in sophistication as well.
According to TrendLabs’ Escalation Team, previous versions of SALITY file infectors such as PE_SALITY.SA used simpler encryption techniques. In particular, they used only one layer of encryption, making analysis a simpler affair by looking at sections of the file that have only zeroes as shown in Figure 1.

However, PE_SALITY.BA has increased the complexity of its encryption routine. Analysis thus became more complicated than before. The results can be seen in the code sample shown in Figure 2.

It should also be noted that PE_SALITY.BA, like other previous SALITY variants, goes beyond merely infecting files. Not only does it disable antivirus services, it also turns off alerts that Windows normally displays if (continue reading...)