Virus / Botnet
Sality
aka SalLoad · Kuku · Sector
A veteran polymorphic file-infecting virus that builds a resilient peer-to-peer botnet, still circulating on legacy systems years after its peak.
Sality is a veteran polymorphic file infector dating to around 2003. It infects Windows PE executables, mutating with each infection to evade signatures, and links compromised hosts into a resilient peer-to-peer botnet with no central server to take down.
Capabilities
Beyond self-spread via infected files, removable media and network shares, Sality disables security software, downloads additional payloads, and has been used for spam and credential theft. Its decentralised C2 made it exceptionally durable.
Endurance
Despite being two decades old, Sality still surfaces on poorly maintained and embedded systems. Its P2P protocol is a classic study on the Reverse Engineering Hub; historical tracking is on Cyber Breaches.
Defense
Use behaviour-based AV (signatures struggle with polymorphism), disable Autorun, restrict write access to executables, and rebuild rather than clean infected hosts.