On Tuesday, a user who is known as "lawabidingcitizen" posted an unusual request to the Full Disclosure mailing list, a forum that is mainly used by the security community: "Please do not take down the Sality botnet."
The contributor says that he found a way of dramatically reducing the number of infected computers after analysing the botnet. He adds that the required actions are unlawful, however, but proceeds to describe the method in considerable detail and makes special tools for the task available.

Essentially, the method involves exploiting the botnet update feature to inject a scrubbing tool that causes the trojans to remove themselves from the zombie computers. The author has also released an adapted version of AVG's Sality Removal Tool. In addition, lawabidingcitizen has developed a Python script that produces a list of the URLs that are currently used for updating the bot code. When tested by The H's associates at heise Security, the script did display URLs that deploy malicious code. Virus scanners such as Avast, G Data and Ikarus detected the Win32.Eldorado malware, which has connections to Sality.

The link for this article located at H Security is no longer available.