Do-it-yourself plan to take down Sality botnet outlined on public mailing list

Cybercriminals could use instructions posted on the Full Disclosure mailing list to hijack a large botnet

A method that anyone can use to hijack a massive multipurpose botnet called Sality was described in detail on a public mailing list on Tuesday.

Sality is a file-infecting virus that has been around for more than nine years. More than 100,000 computers are infected with the malware and form a large peer-to-peer botnet used for various cybercriminal activities.

An individual using the moniker "A Law Abiding Citizen" described how the Sality botnet can be destroyed or hijacked in an email sent to the Full Disclosure mailing list that was sarcastically titled "Please do not take down the Sality botnet."

The email's author linked to a Python script that can be used to determine the update URLs queried by the botnet and suggested that a Sality removal utility developed by antivirus firm AVG could be hosted on one of them to be downloaded and executed by the infected computers.

Sality updates are usually hosted on compromised websites, so in order to replace them with the removal utility, someone would have to hack into those websites, like the Sality creators did, or persuade their owners to willingly host the tool.

Technically speaking, there is a chance that the plan may work, although the result would be unpredictable because each computer can have software and hardware particularities that come into play when the botnet is instructed to do something, said Vikram Thakur, principal manager at Symantec Security Response.

Furthermore, forcing the botnet clients to download and execute the removal tool is illegal because it involves modifying software on other people's computers without their authorization. "Legally and ethically speaking, the takedown plan is a definite 'no,'" Thakur said.

Therefore, the public availability of these takedown instructions is more likely to help other cybercriminals who wish to hijack the botnet rather than legitimate security researchers interested in disabling it.

Cybercriminals are probably already trying to use the information in the email to their advantage, Thakur said. However, Symantec hasn't seen any changes in the botnet since the takedown plan was posted online.

There's one step required for the plan to work that hasn't been fully revealed by the email's author: In order for the botnet clients to actually download and execute updates, the files need to be encrypted in a certain way.

"I am not providing details on how to create a properly encrypted executable, although I imagine some either already know or will quickly figure it out," the anonymous poster said.

However, he promised to release more details about Sality if and when the botnet is shut down. "It is unfortunate that I am unable to do so now due to these legal issues, but, as I'm sure you all know, it is more important to respect the law than to fix anything," he said in a sarcastic note.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?