The Sality Botnet

As discussed in a previous blog entry, Sality-infected computers become part of a peer-to-peer (P2P) botnet. This botnet is used by peers to exchange lists of URLs pointing to malicious software, which Sality will decrypt, download and install.
Though the peer-to-peer protocol used by Sality is custom, we can reverse-engineer the malware binary to determine the P2P packet format, as well as protocol rules and features. Traffic analysis can be used to facilitate or guide a white box approach. Eventually, writing a working P2P client and/or server can be used to validate the analysis.
I decided to create a rogue P2P client that would join the Sality botnet and crawl it, in order to estimate its size.
Let’s do a quick reminder of what the P2P protocol offers:

A peer can ask another peer for its list of URLs.

A peer can send its list of URLs to another peer.

A peer can ask another peer to send the coordinates (IP, port) of a third-party peer.

This last feature is used by bots to keep their list of peers as up-to-date as possible. One very important thing is that the exchanged peers are only publicly-reachable ones, meaning those running on a computer with a public IP address (most configurations of this type would be computers directly plugged to DSL/cable modems). Therefore, users behind home routers or inside corporate environments, having publicly (continue reading...)