Eureka! Enter Senaka Malware

Discussion in 'malware problems & news' started by EASTER, Mar 11, 2009.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I could kick myself for turning off my HIPS while both installing bugged programs and running them, where i usually get lucky and find rootkits/malwares embedded and extract them for research and submission/reporting.

    But i also climbed into a malware nest and before long realized after getting WinHost Services errors and a nice convenient system shutdown counter i couldn;t close, that when placed under one of my private build and RADIX drivers microscope, lo and behold i was entertaining the popular Seneka rootkit, aptly named below......

    senekagwmrqfxm.sys

    On further examination of the registry after wiping the rootkit driver, in my face showed a total of 47 Seneka registry entries along with a System32 collection of various supporting dll's and .dat files.

    What ticked me off most is that i missed the exact point of entry because of turning off my HIPS, which i have a tendency to do in order to attract some of these bugs.

    I backtracked thru the installers i was examining with AV's, AVZ, and a host of other probes leading me to believe that it actually flowed into IE at some webpage while in the malware's nest unawares.

    It was a simple and easy process to yank it out completely with the tools at my disposal for such leeches, but i'm going back thru my yesterday routines again this time with HIPS on to see if i can locate it's source site.

    Interesting research.

    EASTER
     
    EASTER, Mar 11, 2009
    #1
  2. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Gee Willakers, I miss all the fun. I want all those infections too! Ok, that's it, from now on, I'm going into the Internet without:

    LUA + SRP + ARs + DFTs + AC on the LUA, and a browser all wrapped up tightly in a sandbox.

    Those wonderful infiltrating, annoying, password stealing, operating system damaging, hostile system resource hogs aren't going to leave me out!
     
    ParadigmShift, Mar 13, 2009
    #2
  3. FiOS Dan

    FiOS Dan Registered Member

    Joined:
    May 24, 2006
    Posts:
    89
    Location:
    Boynton Beach. FL
    Okay, I 'll bite. LUA and SRP I get but what are ARs, DFTs, and AC?
     
    FiOS Dan, Mar 13, 2009
    #3
  4. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    241
    Additional Rules
    Designated File Types
    Access Control (Permissions)
     
    ParadigmShift, Mar 13, 2009
    #4
  5. FiOS Dan

    FiOS Dan Registered Member

    Joined:
    May 24, 2006
    Posts:
    89
    Location:
    Boynton Beach. FL
    Many thanks.
     
    FiOS Dan, Mar 13, 2009
    #5
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    4,653
    FanJ, Mar 13, 2009
    #6
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    I missed the site that sneaked it thru IE darn it, but it didn't take long to vacumm AWAY all of it's droppers and hidden stealth driver.

    EASTER
     
    EASTER, Mar 13, 2009
    #7
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...