Update through Svchost.exe

Hi everyone,

This is regarding Returnil System Safe 2011 Version 3.2.10351.5418-REL3.

I noticed my INTERNET connection was slow and something was taking a huge amount of my processing power while my fan kicked on high. Looking at the network connections in my firewall, I had what I thought was suspicious downloading activity via svchost.exe

I had thought I had deactivated the automatic updates function of returnil but apparently I had not. The program would seem to download around 17 MB of data, then change ports, and start all over again. Also, each time, it would upload over 1 MB of data.

What I don't understand is why the destination IP address shown by the firewall for this connection was the IP address of my own ISP ? It's as if returnil was hiding it's IP address behind the IP of my ISP. You should be able to open your firewall and tell where data is coming from and where it is going. In this case it appeared something was being downloaded from my ISP to my computer and uploaded from my computer to my ISP. However, the data was really being downloaded from returnil's IP and uploaded to returnil's IP.

Here are two of the IP addresses I found..

91.193.166.92

80.91.172.203

It was hard to track down what was going on with this connection. I used various tools, process explorer, currports, and finally had to use a tool to capture the actual packets, the free version of the program "network miner" http://www.netresec.com/?page=NetworkMiner in order to see the actual IP address that was behind this uploading and downloading via svchost.exe, since it "appeared" that data was being uploaded and downloaded to and from my own ISP.

I also think uploading over 1MB of data to returnil each time, seems a little strange. The downloads themselves also seemed large, they were over 17 MB each time, unless it was trying to download a whole new program version. I also had the virus definition updates turned off, and the remote control turned off. Based on size, what was likely being downloaded and uploaded ?

Also, to what directory does returnil download it's updates ?

Microsoft needs to change the way svchost.exe works so that it does not hide or mask what is really going on with downloads and uploads. IMHO, it would be too easy for malware to use the legitimate svchost.exe program to download and upload things and most people would never even notice.

With all of my other programs, I can easily see the IP of the company who's program is updating. However, with returnil, it was hard to track down. I think this should change.

 

Even though I have selected the option for returnil to never update, this connection is still being established and data is still being downloaded to, and uploaded from, my computer. The remote control feature is disabled, and I have the real time virus monitoring disabled. As far as I can tell, all automatic updates are disabled.

Here are the IP addresses that are once again, behind svchost.exe...

91.193.166.92

80.91.172.203

In my firewall, I have just blocked all INTERNET access to all of the returnIL exe files in the RVS3 folder. What else do I need to block with the firewall in order to stop this activity ? I terminate the connection with the firewall, and it just starts back up again. I guess I have to block the IP addresses but it might just use different ones if it finds those are blocked.

I scanned all of the Returnil exe files and the one dll file in the RVS3 folder at virustotal and they all came back clean.

As I was using "TCP view" from Microsoft, the connection was showing the destination IP as the IP of my own ISP, then every now and then it would turn red and It would reveal that it was returnil that was really behind the connection (it actually showed the returnil web address). This agrees with the data retrieved from the program network miner. I know returnil is behind this connection. At one point, the connection went from "established" to "Syn_sent".

I ran the bootable Avira rescue disk and scanned every file on the system and it came back clean. I figured any malware would not be able to hide if the OS were not booted up. I followed up with a quick scan via malwarebytes and superantispyware. All came back clean. I ran the Norman Malware cleaner too, it only found a couple of suspicious registry entries it moved to quarantine but I may restore them as they look like false positives. I also scanned with prevx 3.0 free as the suspicious download was happening and it said the system is clean. Same with bitdefender quickscan.

I would appreciate any help, advice, or thoughts anyone can provide. I don't like stealthy INTERNET connections even if they are from legitimate programs and I don't like a program I cannot control, even if it is legitimate.

Hopefully I won't need to un-install the Returnil program but if I cannot stop this I will have to.

Thanks
John

 

double check what to disable
https://www.wilderssecurity.com/showthread.php?t=280540

 

Hi Cudni,

Thanks for your reply.

I can try the proxy setting workaround given at the link you provided as long as I can tie up port 50505 indefinitely.

However, I have already blocked access to all of the .exe files and the one dll file in the C:\Program Files\Returnil\RCS3 folder. So why the heck is this thing still downloading & uploading. More importantly, how is it still downloading and uploading ??

I used the comodo firewall to block all incoming and outgoing traffic for rvsmon.exe, rvsgui.exe, rvsrcvr.exe, rvsvssguixp.exe, rvsvssxp.exe, and irvs.dll.

If all of that is blocked, then what exactly is still making this connection ??

What do I need to block with the firewall to stop this ? If I cannot stop this with a firewall then something is wrong. Something seems fishy about all of this to me.

Thanks again for your reply,
John

P.S. To what directory on my computer is this data being downloaded, I cannot find it. It downloads over 17 MB and uploads over 1MB at each connection. Then, it reconnects on a different port and starts over.

 

Hi john2005,
Did you deactivate the malware sample and suspicious behavior information upload option? Virus Guard > Settings > Data Collection Policy section.

Mike

 

Hi Coldmoon,

Yes, I have "do not collect and report malicious activity" checked. Just to be sure I checked the upload queue and there is nothing there.

 

The only thing that could be uploading anything approaching 17 mb would be the data collection policy and only bits and pieces at a time if you have the default background bandwidth selected (33.6 KBPS).

Can you shoot me a PM with your License Number or Installation ID so I can check the server?

Thanks
Mike

 

How can I get the installation ID ? There does not appear to be an actual license number. The trial mode option is still checked & I'm using the free version.

I have attached a Gif image of the registration details. I think I had a registration number for the free version at one time. If it was emailed to me, what would be the address that it came from or the subject line ? I can try to search my email for it.

I think I downloaded Returnil from a link www.techsupportalert.com and I installed it over the old version that was on my system.

It's not uploading 17 MB, it was downloading 17 MB to me and uploading around 1 MB (give or take a little) to Returnil, each time.

Thanks
John

 

Preferences > Advanced tab. Just copy and paste that number into your PM.

Mike

 

I Just sent the ID to you via PM Mike.

 

Hi John,
First, thank you for the report as you have identified a previously unknown bug at at the server which is causing this to happen. The lead for the server project has investigated and reports that it will take a little time to correct and then test.

The gist of the issue is that you have the data collection policy changed to 'do not send' but the server for some reason is still sending requests for any suspicious file/behavior information. IOWs, the server keeps asking for the information and the client keeps telling the server that it cannot send the requested information because the option is changed to do not send.

He suggests blocking the communication attempts at your firewall until this is fixed. To be clear, we do not collect or transmit any confidential/sensitive information so nothing was sent or received other than the communication loop issue described above.

Mike

 

Hi Mike,

Thanks for getting back to me.

This is a relief, as you can imagine, I thought I might have a new malware infection of some sort that is not being detected with current scanners. It also occurred to me that Returil's severs might be infected with malware but I'm glad it's just some sort of glitch. I hope you are able to fix it soon. Please let us know when you get it taken care of.

I blocked all the returnil exe files with my firewall (as the connection was active) and it did not stop it, but after restarting my computer, I have not noticed any new connections since blocking the returnil .exe files. Perhaps the firewall settings on the .exe files do not apply to active connections and are only applied to new connections or after a computer restart, I'm not sure.

If you could post or PM a list of IP addresses to block, that would be helpful as well.

Thanks for your help Mike, I really appreciate it.

Sincerely,
John

 

See your PM and let me know if this nips it in the bud.

Mike

 

I have one other question about this Mike.

Was any data actually saved to my computer ? The firewall said that a little over 17 MB had been downloaded each time, if it downloaded 17 MB every day since I installed the software, that could be quite a lot of wasted HD space.

Is there a directory or file name I could search for ? If something was saved, how do I know what I can delete ?

Thanks
John

 

Hi John,
Apologies for the delay as I needed to check my facts before posting a reply. Nothing was saved to your computer. What you saw was merely the traffic to and from the server as described previously.

Mike

 

Hi Mike,

There is just one last thing I am curious about regarding all of this.

When this connection was active, the firewall showed my computer IP as the source IP and it showed the IP of my own ISP as the destination IP. Since the connection was made through svchost.exe, it was practically impossible to track down what process or service was behind the connection. Finally, I had to analyze the actual packets and use special tools to find out that returnIL's IP was the actual destination IP, and not the IP shown by my firewall.

With all of my other software, whenever there is an update, I can open the firewall and the the destination IP is the IP of the Company who's software is updating.

Why was the destination IP shown as the IP of my ISP when Returnil was updating ? If there is any way for you guys to change this, I would suggest you do so.

I know returnil was not doing anything malicious, but a malware program could make a connection via svchost.exe, and just show the destination IP as the IP of the computer users ISP. The user would never know anything was wrong unless they really looked deep to find out what was going on. Most users would never even check into it. Alternatively, Instead of the destination IP showing as the computer users ISP, the malware could show any phony IP in it's place.

Microsoft needs to make it easy to find out what processes and services are running under svchost.exe, and more importantly, they need to make it easy to find out what INTERNET connections are associated with each specific instance of svchost.exe, and what destination IP address are associated with those connections. If software developers can help with this also, then that would be great.

Thanks again for your help with all of this.

John

 

Hi Mike,

Regarding my previous post quoted below, did you ever find anything out about this IP issue? Does anyone else have any ideas ?

Thanks
John

 

Hi John,

This is the rub when using suggested best practices from Microsoft. We could have designed RSS/RVS differently, but decided it was best to ensure we were developing the software as closely as possible to these guidelines; especially where Vista and Windows 7 were concerned.

This then changed the results of the project with certain avenues being open and others being closed (ref: 3x has a significantly different architecture that 3x for example).

I have updated the team on your suggestions but cannot say at the moment what they will decide.

Mike

 

Thanks Mike.

Could you please clarify one thing for me ?

1. Specifically, can you please tell me why the destination IP was shown as the IP of my ISP when Returnil was updating ? I do not understand why this is so and why ReturnIL's IP addresses were "behind" the IP of my ISP.

This is what I have found most perplexing about all of this. Had ReturnIL's IP been visible via the firewall connections window, I could have tracked all this down much easier and much faster. However, ReturnIL's IP addresses were behind the IP address of my own ISP and were not visible via my firewall. ReturnIL's IP addresses were only detectable via the use of special packet / network analyzing tools.

Thanks again,
John

 

Dear Mike,

Just a moment ago, (and as I am typing this) ReturnIL has once again made one of these connections using the IP addresses 91.193.166.92 and 80.91.172.203.

I would like to have two specific questions answered, which were not addressed from my previous posts.

1. Why is this INTERNET connection from ReturnIL hidden behind the IP address of my own ISP ? No other programs I have do this and it makes it hard to track down what program is making remote INTERNET connections on my computer.

2. Even though I have all ReturnIL .exe files blocked via my firewall, this connection is still being made. I don't understand this and I want to know why this is so and I specifically want to know how to block ReturnIL with my firewall so that it is unable to connect to the INTERNET.

Via my Comodo firewall, I have all incoming and outgoing traffic blocked for rvsgui.exe, rvsmon.exe, rvsrcvr.exe,rvsvssguixp.exe, rvsvssxp.exe, and irvs.dll. With all of this blocked, WHY and HOW does returnIL keep making INTERNET connections. I specifically want to know how the program is still making INTERNET connections with all of it's .exe files blocked. I also specifically want to know how I can block the program so that it cannot make INTERNET connections.

I have not yet blocked any IP addresses and I don't see why I should have to. I should be able to deny INTERNET access to the program via my firewall. Please tell me specifically what I have to block to deny ReturnIL INTERNET access with my firewall.

If INTERNET access for the ReturnIL program cannot be blocked with a firewall, then something is wrong.

I would appreciate it if you could please fully address all of my questions and concerns above. Many of these points and concerns were brought up in my previous posts but they were not addressed.

Also, if anyone else in the forum has any ideas or thoughts, please let me know.

Thank you.
John

 

Hello John,
First, we can't be responsible for bugs in Comodo FW and its failure to properly display what program is accessing what IP address. If it is not showing the proper information you might need to try one that works better in your environment.

Next, be sure you have turned off all the communications options in RSS which includes the network remote control option and the signature updates. Also you will want to deactivate the malware sample and behavior data collection option (set to do not send). Be aware here, there is a known issue where the server will not recognize when this option is set which results in an infrequent loop where the server requests the data and the client replies that it cannot send this information due to the user's preference not to send this data. This will be fixed in REL 15.

Lastly, you will need to enter our IP addresses in your firewall to block this errant communication as described above. Nothing is sent except:

Server: send me the data
Client reply: no, I can't do that

This communication is quick and small in size and should be resolved by blocking the server IP until this issue is corrected in the REL 15 release.

Mike

 

There is no bug in the comodo firewall, it works fine. I have used the firewall with many, many programs, and only Returnil exhibits unusual network traffic behavior & the ability to bypass the firewall.

We have been through all of this before in the thread and I have already stated that I have turned everything off.

Why do I have to do block the IP addresses ? Are you saying that a properly functioning firewall that can manage outgoing traffic, cannot block returnIL ? If so, then why not ?

I have used the comodo firewall with many, many programs, and it works fine with all of them. If I ever need it to block program I just set it to block all incoming and outgoing traffic and it does this flawlessly each time. However, ReturnIL is able to bypass the firewall and I would like to know what is different about returnIL that allows it to do this ? Something must be different about ReturnIL since it is the only program I have out of many that is able to bypass the firewall. I don't know if it's because it hooks the system or operates at the kernel level or what, I just don't know, which is why I am asking you. Since ReturnIL is the only program that can bypass the firewall, there must be something about ReturnIL that is different, the firewall is fine.

I do not want to give up control of my computer to any program, legitimate or not. A firewall should be able to keep ReturnIL from accessing the INTERNET without the need to block any IP addresses. You should be able to use a firewall to block the actual .exe files of the program and this should block the program. If the program cannot be blocked in this way, then the user does not have control over the program, the program has control over the user. This is not right.

If there is a "Bug" in Comodo, then in my case, it's only applicable to ReturnIL because returnIL is the only program I have ever had that exhibits this type of behavior and has the ability to bypass the Comodo Firewall even though I have blocked all the ReturnIL .exe files.

If anyone out there has had similar issues using firewalls other than comodo, please let us know.

Thanks,
John

 

If a firewall can be bypassed then that is a bug

 

Most rootkits could bypass a firewall and that is not considered a "bug". Does returnil install itself in any way that may resemble the installation of a rootkit ? Is there anything about the operation or nature of ReturnIL that could be considered similar to a rootkit ? Legitimate programs do sometimes use rootkit technology but it is generally frowned upon.

Antivirus software that does not yet posses the definitions to detect new threats cannot detect them, it's not a bug it's just the way things are.

No security product can prevent itself from being bypassed in every possible scenario. Just because a security product is being bypassed does not indicate a bug in the program it just means that the program is being bypassed for some reason.

Imperfection does not indicate a "bug", if it does than all programs have bugs and every problem can be blamed on "bugs".

 

what is the job of a firewall? if it lets traffic through that is meant to block/stop then it is a flaw, a bug. Report it to Comodo. They will be interested if anything can communicate past them and indeed can confirm either way. I suspect nothing will pass Comodo assuming certain rule/mode configuration and maybe what you are seeing can help them correct whatever needs correcting if anything.