Full Disclosure mailing list archives
Re: Please do not take down the Sality botnet
From: Jason Hellenthal <jhellenthal () dataix net>
Date: Tue, 27 Mar 2012 11:52:45 -0400
LoL its a good thing that Hush.com is also law abiding... On Tue, Mar 27, 2012 at 03:19:22AM +0000, lawabidingcitizen () mac hush com wrote:
Hi all, I've spent some time over the last few days getting to know the Sality botnet, which is estimated to have at least one million peers. It was ranked by Symantec as the number one malicious code family in 2010 by number of endpoint detections, and has been used to push spam, steal passwords, crack SIP accounts, and various other nasty things. It has come to my attention that it is not only possible but easy to seize control of version three of the botnet, and, more importantly, take it down. Sadly, doing so would require breaking the law. For this reason, I have to request that nobody perform the steps I am about describe. You can find all the files mentioned below in this archive (password: sality): http://www7.zippyshare.com/d/65744138/9360/byesality.zip Firstly, you should *not* use SQL injection to exploit this site: http://www.capesolution.com/login/login.aspx . Furthermore, you should *not* upload an encrypted version of the AVG Sality removal utility to /images/logo/logof.jpeg . Finally, you should *under no circumstance* laugh maniacally as you watch a sizable botnet disintegrate before your eyes. Although it shouldn't matter to anyone, this URL won't stay active for long. When the authors of Sality remove this particular URL, or if that SQL injection turns out to be difficult to leverage, you should definitely *not* try to replace one of these files: http://yaylaozu.com/images/logo.gif, http://destekegitim.com/images/logo.gif, http://dav14gurgaon.org/images/logo.gif, http://dersrehberi.com/images/logo.gif, http://cisse.com.tr/images/logo.gif, http://cbe.com.vn/images/logo.gif. You should also *never* use the provided Python script to get an updated list of targets from the P2P network. Obviously this could be misused by unscrupulous individuals. For this reason, I am not providing details on how to create a properly encrypted executable, although I imagine some either already know or will quickly figure it out. The payload is not malicious, but you don't have to take my word for it. One can check it out in a VM via the provided Sality sample by simply using fakedns and thttpd to serve up the file to the virus, or by running/unpacking the provided original. Thanks for taking the time to read this. I might release more notes on various other pieces of Sality fun if and when the botnet is shut down, but alas, this day may never come. It is unfortunate that I am unable to do so now due to these legal issues, but, as I'm sure you all know, it is more important to respect the law than to fix anything. Sincerely, A Law Abiding Citizen
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- ;s =; _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Please do not take down the Sality botnet lawabidingcitizen (Mar 27)
- Re: Please do not take down the Sality botnet Jason Hellenthal (Mar 28)