Returnil SSDT hooks listed as <unknown>

I recently ran some rootkit scans and found 18 SSDT hooks from an undetermined source. As it turns out, the hooks belonged to Returnil. It is the first security program I have run into that I could not easily identify from the SSDT entries. This makes it hard to tell if the hooks are legit or not. I ran three scanners and they all showed the hook entries as unknown. Does one of the devs or anyone else know what the reason for this is?

I set self-protection off, but this did not make any difference.

Al

 

RSS and RVS install Kernel mode drivers for:

1. Virtual Mode: this is to ensure RVS/RSS can take control of the disk which is required to place Windows into the Virtual System. You can think of the VM as a disk filter that diverts attempted writes to disk to the virtualization cache where they are tracked and then either dropped at restart of the computer or saved to the real disk/system per the user's preferences.

2. Virtual Disk: this is the convenience feature that allows RVS/RSS to create a volume that Windows will see as a real non-system disk or partition for saving of files while in Virtual Mode rather than saving the content to your virtualized System or non-system disks.

3. Antimalware: The Virus Guard component in RSS adds some detection related changes to better capture and analyze unknown programs and/or suspicious behaviors.

4. Service that allows for scheduling, remote client management, suspicious file and behavior information upload to the AI server for analysis, and automated saving of content to disk through the File Manager.

Mike

 

Mike, I understand the need for installing the kernal mode drivers. My question is why is Returnil hiding these entries in the SSDT?

Many other companies tag their Hooks so that the analyzing software will list who is initiating the Hook. That helps in determining the legitimacy of the hook and to me that is a good thing. For example, Prevx shows c:\windows\system32\drivers\pxrts.sys as the module in the SSDT list for all of its hooks. Is there a reason why Returnil can't do something similar?

p.s. I uninstalled Returnil to track down where the hooks were coming from. I was relieved they all belonged to Returnil.

Al

 

Hi Al,
Two things here:

1. This is only valid with XP based systems due to its architecture and does not effect Windows 7

2. You will need to request an update from your ARK provider to properly identify who they belong to - IOW's, they are detecting and should provide information about what they are detecting.

As you have discovered, ARK detecting can be problematic and you have to know what you are looking at. In this case, you easily identified the owner of the hooks by testing against Returnil and knowing what was there previously. This is common with Rootkit scanning and it is not always possible for a solution provider to know every program out there so you get vague answers like "UNKNOWN" until the developer updates his internal database to identify a previously unknown, but legitimate change.

Mike