Eureka! Enter Senaka Malware

Discussion in 'malware problems & news' started by EASTER, Mar 11, 2009.

Thread Status:
Not open for further replies.
  1. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I could kick myself for turning off my HIPS while both installing bugged programs and running them, where i usually get lucky and find rootkits/malwares embedded and extract them for research and submission/reporting.

    But i also climbed into a malware nest and before long realized after getting WinHost Services errors and a nice convenient system shutdown counter i couldn;t close, that when placed under one of my private build and RADIX drivers microscope, lo and behold i was entertaining the popular Seneka rootkit, aptly named below......

    senekagwmrqfxm.sys

    On further examination of the registry after wiping the rootkit driver, in my face showed a total of 47 Seneka registry entries along with a System32 collection of various supporting dll's and .dat files.

    What ticked me off most is that i missed the exact point of entry because of turning off my HIPS, which i have a tendency to do in order to attract some of these bugs.

    I backtracked thru the installers i was examining with AV's, AVZ, and a host of other probes leading me to believe that it actually flowed into IE at some webpage while in the malware's nest unawares.

    It was a simple and easy process to yank it out completely with the tools at my disposal for such leeches, but i'm going back thru my yesterday routines again this time with HIPS on to see if i can locate it's source site.

    Interesting research.

    EASTER
     
  2. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Gee Willakers, I miss all the fun. I want all those infections too! Ok, that's it, from now on, I'm going into the Internet without:

    LUA + SRP + ARs + DFTs + AC on the LUA, and a browser all wrapped up tightly in a sandbox.

    Those wonderful infiltrating, annoying, password stealing, operating system damaging, hostile system resource hogs aren't going to leave me out!
     
  3. FiOS Dan

    FiOS Dan Registered Member

    Joined:
    May 24, 2006
    Posts:
    86
    Location:
    Redondo Beach, CA
    Okay, I 'll bite. LUA and SRP I get but what are ARs, DFTs, and AC?
     
  4. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    Additional Rules
    Designated File Types
    Access Control (Permissions)
     
  5. FiOS Dan

    FiOS Dan Registered Member

    Joined:
    May 24, 2006
    Posts:
    86
    Location:
    Redondo Beach, CA
    Many thanks.
     
  6. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I missed the site that sneaked it thru IE darn it, but it didn't take long to vacumm AWAY all of it's droppers and hidden stealth driver.

    EASTER
     
Loading...
Thread Status:
Not open for further replies.