[Full-disclosure] Please do not take down the Sality botnet



Hi all,

I've spent some time over the last few days getting to know the Sality
botnet, which is estimated to have at least one million peers. It was
ranked by Symantec as the number one malicious code family in 2010 by
number of endpoint detections, and has been used to push spam, steal
passwords, crack SIP accounts, and various other nasty things.

It has come to my attention that it is not only possible but easy to
seize control of version three of the botnet, and, more importantly,
take it down. Sadly, doing so would require breaking the law. For this
reason, I have to request that nobody perform the steps I am about
describe. You can find all the files mentioned below in this archive
(password: sality):
http://www7.zippyshare.com/d/65744138/9360/byesality.zip

Firstly, you should *not* use SQL injection to exploit this site:
http://www.capesolution.com/login/login.aspx . Furthermore, you should
*not* upload an encrypted version of the AVG Sality removal utility to
/images/logo/logof.jpeg . Finally, you should *under no circumstance*
laugh maniacally as you watch a sizable botnet disintegrate before
your eyes.

Although it shouldn't matter to anyone, this URL won't stay active for
long. When the authors of Sality remove this particular URL, or if
that SQL injection turns out to be difficult to leverage, you should
definitely *not* try to replace one of these files:
http://yaylaozu.com/images/logo.gif,
http://destekegitim.com/images/logo.gif,
http://dav14gurgaon.org/images/logo.gif,
http://dersrehberi.com/images/logo.gif,
http://cisse.com.tr/images/logo.gif,
http://cbe.com.vn/images/logo.gif. You should also *never* use the
provided Python script to get an updated list of targets from the P2P
network.

Obviously this could be misused by unscrupulous individuals. For this
reason, I am not providing details on how to create a properly
encrypted executable, although I imagine some either already know or
will quickly figure it out. The payload is not malicious, but you
don't have to take my word for it. One can check it out in a VM via
the provided Sality sample by simply using fakedns and thttpd to serve
up the file to the virus, or by running/unpacking the provided
original.

Thanks for taking the time to read this. I might release more notes on
various other pieces of Sality fun if and when the botnet is shut
down, but alas, this day may never come. It is unfortunate that I am
unable to do so now due to these legal issues, but, as I'm sure you
all know, it is more important to respect the law than to fix
anything.

Sincerely,
A Law Abiding Citizen_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: [Full-disclosure] Full-Disclosure SALTY
    ... [Full-disclosure] Please do not take down the Sality botnet ... I've spent some time over the last few days getting to know the Sality ... you should *not* use SQL injection to exploit this site: ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Please do not take down the Sality botnet
    ... LoL its a good thing that Hush.com is also law abiding... ... I've spent some time over the last few days getting to know the Sality ... botnet, which is estimated to have at least one million peers. ...
    (Full-Disclosure)