The Seneka Rootkit

Why is he Making you research this? Does he have it on his machine or something.

I think I had this rootkit on my machine a few months back. Doing a good search it appears to be related to TDSSserv which some tools classify it as "Malware Downloader"

It did a buch of crazy crap, and I had to boot into ERD Commander (Offline PE) to finally kill the driver.

Here is what I documented
(If you want images of it, let me know and Ill upload them)

1. Hijacks explorer.exe (Image Fiile Execution Options), basically making it run its file everytime you kill and restart explorer.
So basically, instead of explorer.exe running, it ran C:\Program Files\Microsoft Common\svchost.exe, which then launched explorer after running (as if everything is ok, but not it is executing)

2. Drops a bunch of files on every single drive (including any removable media [like flash drives])
The flashdrive is given an autorun.inf file to execute .exes named similar to "game.exe" "app.exe" etc
Therefore, it reinstalls even if you remove it, but forget to clear it off the flashdrive.

3. Has various startup locations and different .exes named similar to csrssc.exe, rs32net.exe, winlogin.exe

4. Installed some COM components to make the DCOM service run IE in the background (god only knows what it was doing then)

5. Hijacks and runs a lot of svchost.exes using a dll.

6. Installed usermode "rootkit" using multiple DLLs which performed IAT hooking on many kernel32.dll functions and all user32.dll functions.

7. Installed a driver called TDSSserv.sys which hides itself from being visibly loaded.
It did not appear that the driver did any SSDT hooking, but Radix reported  that it did hook the kernel image file (ntkrnlpa.exe)
It also prevents regedit from accessing its driver key (CCS\services\TDSSserv.sys)

8. Modifys the TcpIP driver key in CCS\services\Tcpip\Parameters. This basically allowed it to redirect google searches to ad-pages like "Free Antispyware"


I got this from a codec which some idiot modified to include this annoying bug. It was lucky my Nod32 wasn't enabled when it dropped its payload.

It droped files in locations like: C:\, Windows\Temp, Windows, Sysem32, system32\drivers etc.
Luckily it forgot to change the date stamps.


Edited by Matts_User_Name - 28 January 2009 at 11:58pm

Hey again.

1.
Sure yea. DCOM (Server Process Launcher) is a service run by svchost (Service host), and is required for the system to be stable. (Disabling DCOM causes MS Installer to not function, etc)

Here is some confusing info on DCOM in general - http://en.wikipedia.org/wiki/Distributed_Component_Object_Model

Windows specific: (More confusing Info)
http://msdn.microsoft.com/en-us/library/ms809340.aspx


The way I can explain it (I dont even really understand DCOM):
DCOM Server Process Launcher is a service run by svchost.exe, in which, is use used to launch .exes or map .dlls into its address space. (If a .dll is loaded into just 1 process, it has the ability to map itself into any process, so therefore, it is not a lot different than a .exe running as a separate process [but stealthy-er] )

The way DCOM does this must all be managed in the registry. Here is what I typically find with maleware/viruses that take advantage of DCOM:

Example .Reg file from TDSSserv virus

Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID\{C5AF42A3-94F3-42BD-F434-3604832C897D}] @="C:\\WINDOWS\\system32\\hsd63geff.dll" "ThreadingModel"="Apartment" [HKEY_CLASSES_ROOT\CLSID\{C5AF42A3-94F3-42BD-F434-3604832C897D}\InProcServer32] @="C:\\WINDOWS\\system32\\hsd63geff.dll" "ThreadingModel"="Apartment"

In the registry it looks like this: (Shown in Registry Workshop  [Best Regedit replacement IMO]


It appears that it deals something with the InprocServer32 key and ThreadingModel values, in which case the DCOM SPL (Server Process Launcher service) looks for.

InProcServer32 (This is the only documentation I could find on it really):
http://msdn.microsoft.com/en-us/library/ms682390(VS.85).aspx
"Registers a 32-bit in-process server and specifies the threading model of the apartment the server can run in."

Obivously it deals with Microsoft's COM API functions, but it seems many viruses like to take advantage of the fact that a legit windows service (which is running in the System account, meaning it has more access than a local Administrator) will run any .exe or .dll which they specify within the registry.

Here is the only info I really know about the DCOM service:









On the note of talking about maleware, don't confuse DCOM with DKOM (With a K instead of C).
DKOM means Direct Kernel Object Manipulation. It basically means: To change (Manipulate) specific memory in the kernel (Direct Kernel), which represent data structures (Object). These data structures can help define how windows objects work (Such as a process object or module[driver] object)

Here is an example of what DKOM can do: (Hide processes)


If you are curious on details:
Basically what this does is modify a structure in kernel memory called EPROCESS (Executive[kernel] Process), which every process has. These EPs are linked together by a member in the EP strcuture (called ActiveProcessLinks), and by changing them to exclude the desired processs then it can be hidden.

Here is just a quick overview of some parts in _EPROCESS (It actually is proceeded by an "_". Not sure why, ask MS Devs :P)



DKOM is similar to the power which you can have when accessing the kernel, and that brings us to your 2nd question about IAT and SSDT hooks:



2.

Well to learn more there are many great resources:

1. SSDT and IAT hooks, as well as all kinds of kernel/internal malware behavior is discussed in the book Rootkits: Subverting the Windows Kernel
It talks about all the tactics in theory and also provides code examples. (You really dont need to read the code if you do not understand it. It can be equally read in a broad sense and still understood pretty well)
This book is really what got me started on DKOM research.


http://www.amazon.com/Rootkits-Subverting-Addison-Wesley-Software-Security/dp/0321294319

If you are on a time crunch, and really need to view its wonderful information now then here is the e-book (which happens to not come with the book itself. I found it from google):
Even though you will have it in electronic form, I would still say buy the book, because it is always nice to have a hard copy and not waste ink/paper, and also to support the authors.
http://www.mediafire.com/?iejh1ulgzwe

In the above link, I also included Mark's Windows Internals e4 and Jeffery's Windows via C++ for you. These 2 are massive books so for now I would only focus on:
1. Windows Internals: 1, 2, 3 (Talks about the components of the Windows system) [specifically 2]
2. Windows via C++: Ch 22 --> API Hooking (This talks about IAT). The problem is IAT is hard to understand without knowing how DLLs work and the internals of the windows PE (Portable Executable). Perhaps read ch 19 - 22 to better understand some DLL concepts

As for the Rootkits book: Everything in there is good to know for any research you are doing on malware and hooking.


As for some places online:
www.CodeProject.com
www.Rootkit.com
(They are mainly code sites, but contain a lot of information that is explained in different perspectives on Hooking whether it be from Dlls (IAT, Global/Local hooks using SetWindowsHookEx, or Window-Procedure subclassing) or from Drivers (All the other kinds of low-level ring 0 hooks, such as SSDT, IRP hooks)



Some useful ones:

API Function Hooking  (IAT & SSDT Hooking)
http://www.codeproject.com/KB/system/hooksys.aspx

SetWindowsHookEx & IAT Hooks: - DLLs
http://www.codeproject.com/KB/DLL/hooks.aspx

Dll Hooks (Code Injection) (SetWindowsHookEx, IAT)
http://www.codeproject.com/KB/threads/winspy.aspx




I personally know reading gets old after a while especially if you do not understand the code or concepts. I am a visual learner myself, so here are perhaps some images I made to perhaps spark your interest:

This app shown is called Radix and is an Antirootkit tool:


I talk a little about Radix here: http://forum.sysinternals.com/forum_posts.asp?TID=17648

--[Radix Antirootkit]--
Here is its site: usec.at
Download: http://www.usec.at/downloads3/radix_installer.zip
(You don't need to install it, it just comes ready to go right out of the zip, which is what I like)


Example of IAT and SSDT hooks shown in Radix:

IAT Hooking:

SSDT Hooking:





More information I recently found is from a tool which I am going to test out soon:

Deep System Explorer (DSE)
http://tds.diamondcs.com.au/dse/screenshots.php

They have a bunch of examples here: (w/ Images for each type of detection they explain)
http://tds.diamondcs.com.au/dse/detections.php








3.


Yes, it was a QuickTime Installer (I was hunting around for a cracked version of Pro and got this POS instead)
It actually does install quicktime, the installer executes a nice virus before launching the QT install.

I uploaded it for you: (Please use with caution, it is a sticky one to really get off)

This is the exact file which is it packaged in:
<link removed in accordance with Malware Policy>

I was able to extact the exact the virus installer .exe from the main installer(Above) using WinRar:
<link removed in accordance with Malware Policy>


I would recommend you only run this on VMWare Workstation or some other virtual machine.
NOTE: If I recall correctly, it even forces its driver to bypass System Restore and be added on all Safeboot keys (Meaning it still starts in any Safemode you go into)



Tools you are going to need include:

1. Sysinternals Tools: Process Explorer, Autoruns, TCPView
(You can get all of these over at Systinternals.com)

• http://live.sysinternals.com/procexp.exe
• http://live.sysinternals.com/autoruns.exe
• http://live.sysinternals.com/Tcpview.exe

2. Snapshot tools
Registry Workshop (Highly useful for searching and creating snapshots of what changed)
Possibly a file snapshot tool (I haven't found one I really like yet besides Thinstall)

3. Offline Removal
Might need ERD Commander to remove this mofo, unless you create a copy of the VMWare file that is used as its harddrive.

4. Antirootkit tools:
Radix, IceSword, Kernel Detective, HideToolz 
(I will also look around for a full version of Deep System Explorer (DSE))

• Radix - Best Anti-RK tool out there (IMO). Powerful, fast, and may options & scans
• IceSword - Not as good as Radix, but does have a way at viewing the installed hooks on the system. These hooks are from SetWindowsHookEx. (Many other tools never show these) (This was made by someone from a guy from China but provided an english translated version)
• Kernel Detective - Sometimes discovers more than Radix (This was made by someone over at www.rootkit.com)
• HideToolz - Useful for stopping SetWindowHookEx, shutdowns, and process terminations.

Note: If I recall correctly Kernel Detective detected a modification that this driver did, which no other Antirootkit tools reported.

Here is a zip I made for you: They contain these 4 tools listed above (Lastest versions as I know of). They are best of the best to my knowledge.
http://www.mediafire.com/download.php?ziimzrfnyky




If you need tools like Registry Workshop, Thinstall, or ERDC, or other troubleshooting software then PM me with your email address. (I don't want people on here to get mad at me for distributing Warez, haha)





Hopefully all this information was helpful.
I've been working on this since 4 PM and it is now 10 PM. Oh well, what better to do on a Friday night than inform others of my research on maleware and windows internals :P

I feel that this information can help give some visuals and reliable information about the kinds of methods I currently use to kill off malware. Everyone has to deal with it at some point, so perhaps this can help make anything less fuzzy.

PS: If you are curious how I created those images, I used SnagIt 8
-Matt



EDIT:

liana: molotov informed me of the new maleware policy of no longer posting links to maleware on these forums.

You can either leave your email address on your response, or PM me with it, and I will send the files to you.



EDIT by molotov: removed links to malware, in accordance with Malware Policy


Edited by Matts_User_Name - 31 January 2009 at 3:25am

Hi GamingMaster,

Edited by PROROOTECT - 31 January 2009 at 8:22pm

Yes, Msinfo32.exe.

Hi,

Thanks Matt, yes some of them flag it as trojan, maybe because of the packing and the driver code obfuscation !

Edited by GamingMasteR - 29 June 2009 at 3:13am