A method that anyone can use to dispose of or hijack a massive multipurpose botnet called Sality is out on a public mailing list.
Sality is a file-infecting virus that has been around for more than nine years. More than 100,000 computers remain infected with the malware and form a large peer-to-peer botnet used for various cybercriminal activities.
An individual using the moniker “A Law Abiding Citizen” described how to destroy or hijack the Sality botnet in an email sent to the Full Disclosure mailing list sarcastically entitled “Please do not take down the Sality botnet.”
The email’s author linked to a Python script that can determine the updated URLs queried by the botnet and suggested a Sality removal utility developed by antivirus firm AVG could host on one of them to download and execute via the infected computers.
Sality updates usually host on compromised websites, so in order to replace them with the removal utility, someone would have to hack into those websites, like the Sality creators did, or persuade their owners to willingly host the tool.
There is a chance the plan could work, although the result would be unpredictable because each computer can have software and hardware particularities that come into play when the botnet receives instructions to do something, said Vikram Thakur, principal manager at Symantec Security Response.
Forcing botnet clients to download and execute the removal tool is illegal because it involves modifying software on other people’s computers without their authorization. “Legally and ethically speaking, the takedown plan is a definite ‘no,'” Thakur said.