Returnil and nothing else

Ok I was listening to this thread and I'm also a user of Returnil awesome program! However just some info on a test I just did with Julie Lau's sector editor v1.05 which happens to work low level. Side note Powershadow all versions fail as well. I session locked and ran sector editor, selected my C: which is partition 1 and did a sector fill. Then did a reboot and OS was gone,
abracadabra, scary ****. Recovered my system using PC-DOS and a back up ghost file of my system and was back in action in less than a min. Just wanted to say that there is malware that currently exist that has abilities on a low level that well bypass alot of stuff if it is allowed to run, so maybe you may think about adding some kind of script blocker plus .exe and whatever else methods that could be used by malware to execute this type of action.
I don't wanna freak any one out just keeping it real, you guys may never run across malware that can do this but I have simple fact I look for it, but yeah just running returnil for what I do wouldn't be enough to protect my system.

 

It isn't possible. The autorun.inf trick is only a concern for those who depend only/mainly on reboot-to-restore solutions (malware survives on non-system partitions and it's executed when the user double clicks on a drive).

With autorun disabled, you can safely plug removable drives and explore/scan them before double-clicking anything. If you get infected (by whatever reason/cause) malware might re-enable autorun.

 

Greetings again yankinNcrankin

It's always interesting the demands you place with your testings as well as Peter2150 and some others then report on them. Thanks for that.

I'm sure Coldmoon of Returnil would find your results of some interest, hopefully we'll see some response to this and what might can be done to prevent it.

Thank Goodness for fallback images eh?

 

I'd guess that HxD (Hex Editor and Disk Editor) might bypass Returnil's protection too.

 

yankinNcrankin,
Yes that kind of malware is scaring and I would be scared too, that is a normal human reaction, because you don't expect this at all.
I know already that this can happen to any ISR-software and that's why I have a Zero Tool and a clean image to fix this.

As long I can fix it with restoring an image, I'm not scared anymore.
If I cannot fix it with restoring an image, then I'm REALLY scared and out of business. Something like a hardware virus.

 

heheh, well thats what I'll elude to later maybe in another topic post, that the mysterious beast is the actual hardware you buying.

 

think I will just stick with my old tried and true for now, Sandboxie and F-Secure.

 

also a word of warning to those who are not very schooled in areas like partioning, virtualazation, and etc, like me. Be careful, sometimes you can do yourself more harm then good. I guess the best advice I can give is get yourself a solid AV or suite and the reality is, you will be fine. I am a bigger danger to my PC security then any trojan, worm or bot.

 

Incredible beasty trick, good to know.

What about full encryption of D?

Hehe, the human factor.

 

I don't know that anything that runs from the system disk could withstand a sector by sector low level attack of the system disk.

There is still the problem for the bad guy to drop the right malware on the right system, get it initiated and get it functioning to the point that it's in control. In some things it's possible. In others it would be an extreme challenge. Every way we find of destroying our own systems doesn't mean theres a hoard of hackers that can remotely release the same things easily on an armed system.

 

"Beware the enemy within" ---- in which case would be true for me, many times over. LOL

 

How do you disable it? I found many different ways in google, and I don't feel like re-booting every time in case I break something (and some methods require a reboot anyways)

 

Hi lucas1985,
We added protection for changes attempted when using this type of application in previous versions to protect the MBR. We are looking closer at methods to address the use of Sector Editors that none of the ISR alternatives provide protection for.

We should have a version of 2.0 available soon (this week) that will include a solution for testing...

EASTER said:

The most important thing everyone needs to keep in mind here is that we advocate a layered approach. This does not mean "layered" as in "I use three different antimalware scanners and a firewall...", rather it means that we advocate that the user deploy a strong, but targeted line up designed to cover the greatest number of vulnerabilities with the smallest number of resources used.

Further we advocate using the following framework:

1) Prevention - keep the malicious content off of your computer in the first place

2) Detection (and removal if #1 fails) - Detect incoming content and keep it off your system then remove it if it gets through.

3) Cure - Using ISR to close the gap should #1 be insufficient and when you run into the inevitable issue with #2 where the solution failed to detect and/or remove the content for whatever reason (no signature update, removal engine insufficient to deal with a new malware, etc)

The point here is that you should never rely solely on a single product or method to protect your system, rather you should evaluate the strengths of your current tool chest to make sure you have have adequately addressed any weaknesses these tools might have...

Mike

 

Precisely the approach I try to follow, with firewall, AV, and HIPS, alongside Returnil and Sandboxie.

 

Do it with Tweak UI

Great