How to not take down a botnet by a Law Abiding Citizen #security
I’ve spent some time over the last few days getting to know the Sality botnet, which is estimated to have at least one million peers. It was ranked by Symantec as the number one malicious code family in 2010 by number of endpoint detections, and has been used to push spam, steal passwords, crack SIP accounts, and various other nasty things.
It has come to my attention that it is not only possible but easy to seize control of version three of the botnet, and, more importantly, take it down. Sadly, doing so would require breaking the law. For this reason, I have to request that nobody perform the steps I am about describe. You can find all the files mentioned below in this archive (password: sality):
Firstly, you should not use SQL injection to exploit this site: http://www.capesolution.com/login/login.aspx . Furthermore, you should not upload an encrypted version of the AVG Sality removal utility to /images/logo/logof.jpeg . Finally, you should under no circumstance laugh maniacally as you watch a sizable botnet disintegrate before your eyes.
Although it shouldn’t matter to anyone, this URL won’t stay active for long. When the authors of Sality remove this particular URL, or if that SQL injection turns out to be difficult to leverage, you should definitely not try to replace one of these files:
- h ttp://yaylaozu.com/images/logo.gif
- h ttp://destekegitim.com/images/logo.gif
- h ttp://dav14gurgaon.org/images/logo.gif
- h ttp://dersrehberi.com/images/logo.gif
- h ttp://cisse.com.tr/images/logo.gif
- h ttp://cbe.com.vn/images/logo.gif
You should also *never* use the provided Python script to get an updated list of targets from the P2P network.
Obviously this could be misused by unscrupulous individuals. For this reason, I am not providing details on how to create a properly encrypted executable, although I imagine some either already know or will quickly figure it out. The payload is not malicious, but you don’t have to take my word for it. One can check it out in a VM via the provided Sality sample by simply using fakedns and thttpd to serve up the file to the virus, or by running/unpacking the provided original.
Thanks for taking the time to read this. I might release more notes on various other pieces of Sality fun if and when the botnet is shut down, but alas, this day may never come. It is unfortunate that I am unable to do so now due to these legal issues, but, as I’m sure you all know, it is more important to respect the law than to fix anything.
A Law Abiding Citizen