Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks (e.g. password cracking).
[1] Sality utilizes polymorphic and entry-point obscuring (EPO) techniques to infect files using the following methods: not changing the entry point address of the host, and replacing the original host code at the entry point of the executable with a variable stub to redirect execution to the polymorphic viral code, which has been inserted in the last section of the host file;[2][3] the stub decrypts and executes a secondary region, known as the loader; finally, the loader runs in a separate thread within the infected process to eventually load the Sality payload.
Sality may contain Trojan components; some variants may have the ability to steal sensitive personal or financial data (i.e. information stealers),[5] generate and relay spam, relay traffic via HTTP proxies, infect web sites, achieve distributed computing tasks such as password cracking, as well as other capabilities.
According to Symantec, the "combination of file infection mechanism and the fully decentralized peer-to-peer network [...] make Sality one of the most effective and resilient malware in today's threat landscape.
In recent years, Sality has also included the use of rootkit techniques to maintain persistence on compromised systems and evade host-based detections, such as anti-virus software.
[1][4][8][9][10][11][12][13][14][15][16][17][21][22][23][24][25][26][27] Sality uses stealth measures to maintain persistence on a system; thus, users may need to boot to a trusted environment in order to remove it.
Also, since many variants of Sality attempt to propagate to available removable/remote drives and network shares, it is important to ensure the recovery process thoroughly detects and removes the malware from any and all known/possible locations.