Returnil Betas Virus penetration

The following is a sample


~~ Do not include malware samples if you want to post here. Link has been made available to Coldmoon - Do not repost it! ~~

How does it penetrate Returnil? Did you add all drives to File Protection?

Returnil started off with advertising itself as a simple and effective anti-malware solution, but unfortunately that's BEFORE the virus writers took notice of it. Returnil does not restrict account privileges in any way, and as such malware can run with equal access rights with Returnil itself and tamper with its hooks and protection drivers at will.

Despite what the software makers say, the only way Returnil can ever stop malware is if the malware does not specifically seek to undo Returnil's drivers. At least use it alongside with a limited user account if you intend to use Returnil as an anti-malware solution.

Is there any evidence that in real world testing it could happen.
I.m not meaning the chinese malware from sometimes ago that compromised Returnil, i dunno if already they fix it.
I like to see some evidence and not guessing that Returnil can be broken.

Do you mean that malware infected your system when protection was on? Or was there malware resident on your system even after reboot and thus, a flush of the cache?

I think he means the first sceneraio. That's normal.

Just prior to Castlecops site going down, my computer became infected with a virus while Returnil protection was on. The virus modified the system registry run entry and ran the virus when the system was rebooted. Returnil failed to stop this from happening.

This wasn't worth wasting time with and possibly allowing private information to be leaked. The partition was deleted, new partition created and restored from low level image. This was the only and sure way to assure that nothing remained of the infection.

Returnil failed to protect this system from the unknown virus.

-{ Quote: "Returnil started off with advertising itself as a simple and effective anti-malware solution, but unfortunately that's BEFORE the virus writers took notice of it." }-

Hello Eice and welcome :)
Returnil never stopped being a simple and effective solution. The malware authors are always watching no matter what anyone does and there is no such thing as a silver bullet. We have some surprises comming so stay tuned ;)

-{ Quote: " Returnil does not restrict account privileges in any way, and as such malware can run with equal access rights with Returnil itself and tamper with its hooks and protection drivers at will." }-

This is not something Returnil was designed to do as it is not a file filter. Considering that the user of RVS is security oriented, it is not a large leap to expect that a user would run normally with reduced privileges. As we all know, this is not a universal configuration, but even if a user is running with admin status, RVS will still protect against non-ISR circumventing malware. Using the included tools, you can reduce the risk even more. As this is a riskier configuration (hint: convenience), you cannot expect the program to provide its most optimal level of protection.

As a feature suggestion however, that could be interesting and will discuss with the team as soon as I can.

-{ Quote: "Despite what the software makers say, the only way Returnil can ever stop malware is if the malware does not specifically seek to undo Returnil's drivers. At least use it alongside with a limited user account if you intend to use Returnil as an anti-malware solution." }-

By this description you confirm what I have said above and in many other places: RVS is not a silver bullet, it is an integral part of a layered security strategy. As I said above, stay tuned... ;)

With kond regards
Mike

-{ Quote: "Just prior to Castlecops site going down, my computer became infected with a virus while Returnil protection was on. The virus modified the system registry run entry and ran the virus when the system was rebooted. Returnil failed to stop this from happening.

This wasn't worth wasting time with and possibly allowing private information to be leaked. The partition was deleted, new partition created and restored from low level image. This was the only and sure way to assure that nothing remained of the infection.

Returnil failed to protect this system from the unknown virus." }-

Hello john10882 and welcome :)
Please send a copy of the malware or a link to where we can obtain a sample of same using the instructions in the following thread to send your report:

http://www.wilderssecurity.com/showthread.php?t=232901

-{ Quote: "Is there any evidence that in real world testing it could happen.
I.m not meaning the chinese malware from sometimes ago that compromised Returnil, i dunno if already they fix it.
I like to see some evidence and not guessing that Returnil can be broken." }-

Hi Huupi,
Yes, there is real world evidence that there are some malicious programs that can circumvent ISR. The great majority of it however is from the same sources...

We are working on new features in 2x and 3x that will counter most of this, especially hardening against the "dog" trojans ;)

-{ Quote: "Hi Huupi,
Yes, there is real world evidence that there are some malicious programs that can circumvent ISR. The great majority of it however is from the same sources...

We are working on new features in 2x and 3x that will counter most of this, especially hardening against the "dog" trojans ;)" }-
Why do you call them "dog" trojans? Is this refering to some special feature of these trojans?

-{ Quote: "Hi Huupi,
Yes, there is real world evidence that there are some malicious programs that can circumvent ISR. The great majority of it however is from the same sources...

We are working on new features in 2x and 3x that will counter most of this, especially hardening against the "dog" trojans ;)" }-

Hi Coldmoon you'r honest !! How big are chances that i catch one of these nasties. AFAIK its more of a problem in Asia.

-{ Quote: "Why do you call them "dog" trojans? Is this refering to some special feature of these trojans?" }-

It refers mainly to a graphic that the developers of the malware have used. The "dog" is a shortening of Sonydog and/or Robodog...

-{ Quote: "Hi Coldmoon you'r honest !! How big are chances that i catch one of these nasties. AFAIK its more of a problem in Asia." }-

The probability is very low in practice. Use limited accounts and stay away from warez and gaming cracks for the most part...

-{ Quote: "Just prior to Castlecops site going down, my computer became infected with a virus while Returnil protection was on. The virus modified the system registry run entry and ran the virus when the system was rebooted. Returnil failed to stop this from happening.

This wasn't worth wasting time with and possibly allowing private information to be leaked. The partition was deleted, new partition created and restored from low level image. This was the only and sure way to assure that nothing remained of the infection.

Returnil failed to protect this system from the unknown virus." }-

Thank you Sir for saving me from impending Fanboy-dom.

In what manner are these few malware programs able to circumvent Returnil and other such software?

One of my friends always getting his PC reformat after few months as his kids used to destroy the OS. I installed Returnil personal for him with system protection always ON and protected it with password.

Things went down OK for few months but one day he brought his PC to me and it was not able to boot. On eacg boot after splash screen of the motherboard, it will get BSOD and reboot. No way to go even in safe mode. We had to re-install the OS. I did not expect this.

One thing that i could not try was running chkdsk( i thought amy be some power reset might have corrupted file system that will be fixed by chkdsk). I was not having a way to run chkdsk without booting the windows.

-{ Quote: "
One thing that i could not try was running chkdsk( i thought amy be some power reset might have corrupted file system that will be fixed by chkdsk). I was not having a way to run chkdsk without booting the windows." }-


You needed a LIVE Windows CD

It's a cd thats boots your computer into a seperate operating system.

You could had run all kinds of utilities to find out what was wrong with it.

I use them all the time on computers that have serious problems.

Here's a link to one of them (use at your own risk!) :

http://ubcd4win.com/index.htm

I know but i did not have for that PC.

-{ Quote: "One of my friends always getting his PC reformat after few months as his kids used to destroy the OS. I installed Returnil personal for him with system protection always ON and protected it with password.

Things went down OK for few months but one day he brought his PC to me and it was not able to boot. On eacg boot after splash screen of the motherboard, it will get BSOD and reboot. No way to go even in safe mode. We had to re-install the OS. I did not expect this.

One thing that i could not try was running chkdsk( i thought amy be some power reset might have corrupted file system that will be fixed by chkdsk). I was not having a way to run chkdsk without booting the windows." }-

Can you take me through what happened and what other programs were being used at the same time? Also, are you saying this was due to malware? If yes, please provide as much info as you can.

If you have samples or a link, please use the instructions in the sample submission sticky in this forum.

Thanks
Mike

Unfortunately nothing at hand, PC was not able to boot so no way to get anything from it. It had been re-formatted.

It was not my own PC otherwise I would had been able to investigate it in depth. It was running EQS and ThreatFire though.

He gave me a killAV sample. It didn't penetrate Returnil for me :\

Will Returnil 3 protect from these rootkit?
I have read it integrates an antimalware protection.

PS
Are there any news about "Returnil DOS version"?

Hi betaman,
-{ Quote: "Will Returnil 3 protect from these rootkit?
I have read it integrates an antimalware protection." }-

Yes, but to the extent that there may still be new malware developments that will challenge the new protection features. V3 is a totally new approach, but still relies on established technologies where where detection of content is concerned.

-{ Quote: "Are there any news about "Returnil DOS version"?" }-

Not specifically but in part as the network version with management console allows for remote administration of the clients.

Mike

Report of another such tool http://www.joebox.org/news.php

EDIT: I'm not talking about JoeBox but rather down the page a bit the malware that breaks out of the virtualization softwares. Sorry if there was any confusion.

Thanks,

Chris

-{ Quote: "prcko.XP is virus which will use sysenter to directly talk with kernel, it is simple example of virus which will avoid lame sandboxes where their authors hook kernel32 APIs to monitor execution of certain binary." }-
From the Joebox Forum

I wonder if lame sandboxes are now less lame?

It all comes 360, no matter what the technology.