Sality: A Nasty Binary Tracked Down from

Michal Krejdl 26 Nov 2012

Sality: A Nasty Binary Tracked Down from

What a weird positive we've just spotted on CNET's

Win32:SaliCode blocked

Sality is quite a bad file infector. Is it a false positive? Is it a partially disinfected sample? Which way leads to this nasty binary? Check out this screenshot:


We've decided to cross-check the file more thoroughly - the infected binary is from InstallMonetizer, which is packed inside the installer. After running it in our testing virtual machine, we verified that it is the Sality virus, and that it's infecting every binary run. So if you run this binary on your computer, Sality will be everywhere. What's particularly puzzling, is the detection ratio on VirusTotal: 30 out of 43 antiviruses detect it!

This made us really curious, so we contacted all the parties involved for their statements and found out there was series of mistakes involved.

First, They download the software from the developer's site using the PAD mechanism - by this method the developers share metadata and paths to binaries, and the software portals download the software and publish it on their page. We assumed that this is automated and one of the steps wold also be automated antivirus/antimalware/antispyware scans. This was confirmed by staff, BUT(!) the problem is with the level of noisiness of the scanners, which sometimes detect lots of stuff in 'grey area' corners of download portals. This file is in a category where there is a high probability it would be detected by an AV as a keylogger or PUP, so it seems there is either an ignore-mode or there was a manual (wrong) decision to let the file through.

Next, the Developer: The main mistake of the developer of the software is that he is not running an AV with the usual "I know what I'm doing" approach. We see this approach with the power users and developers too often. I wouldn't even trust myself to decide what is a virus or even browse safely without the help of various tools, including AV, and I work in the Avast VirusLab! There is a bit of controversy regarding the origin of the infection - the developer is quite sure that the InstallMonetizer setup he got was infected. This seems plausible, because it was the only infected binary in the whole installer.

And finally: InstallMonetizer denies responsibility and claims the file was clean.

The moral of the story is obvious - run antivirus protection with up-to-date databases and all shields up. Even the reputable, legit sites you know may have problems as is illustrated in this example. Also, if you are not sure, don't automatically regard such a message from your AV to be a false positive - cross verify the file on VirusTotal or report it to us for verification. Please use this form to contact Avast with your issue. Choose 'Report false virus alert' as the Subject/Topic.

Related articles

--> -->