Do-it-yourself plan to take down Sality botnet outlined on public mailing list

Cybercriminals could use instructions posted on the Full Disclosure mailing list to hijack a large botnet

A method that anyone can use to hijack a massive multipurpose botnet called Sality was described in detail on a public mailing list on Tuesday.

Sality is a file-infecting virus that has been around for more than nine years. More than 100,000 computers are infected with the malware and form a large peer-to-peer botnet used for various cybercriminal activities.

An individual using the moniker "A Law Abiding Citizen" described how the Sality botnet can be destroyed or hijacked in an email sent to the Full Disclosure mailing list that was sarcastically titled "Please do not take down the Sality botnet."

The email's author linked to a Python script that can be used to determine the update URLs queried by the botnet and suggested that a Sality removal utility developed by antivirus firm AVG could be hosted on one of them to be downloaded and executed by the infected computers.

Sality updates are usually hosted on compromised websites, so in order to replace them with the removal utility, someone would have to hack into those websites, like the Sality creators did, or persuade their owners to willingly host the tool.

Technically speaking, there is a chance that the plan may work, although the result would be unpredictable because each computer can have software and hardware particularities that come into play when the botnet is instructed to do something, said Vikram Thakur, principal manager at Symantec Security Response.

Furthermore, forcing the botnet clients to download and execute the removal tool is illegal because it involves modifying software on other people's computers without their authorization. "Legally and ethically speaking, the takedown plan is a definite 'no,'" Thakur said.

Therefore, the public availability of these takedown instructions is more likely to help other cybercriminals who wish to hijack the botnet rather than legitimate security researchers interested in disabling it.

Cybercriminals are probably already trying to use the information in the email to their advantage, Thakur said. However, Symantec hasn't seen any changes in the botnet since the takedown plan was posted online.

There's one step required for the plan to work that hasn't been fully revealed by the email's author: In order for the botnet clients to actually download and execute updates, the files need to be encrypted in a certain way.

"I am not providing details on how to create a properly encrypted executable, although I imagine some either already know or will quickly figure it out," the anonymous poster said.

However, he promised to release more details about Sality if and when the botnet is shut down. "It is unfortunate that I am unable to do so now due to these legal issues, but, as I'm sure you all know, it is more important to respect the law than to fix anything," he said in a sarcastic note.

Join the CSO newsletter!

Error: Please check your email address.

More about AVG Technologies AUCitizen Watches AustraliaSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts