Technical Returnil question regarding malware

Discussion in 'General Returnil discussions' started by Jeroen1000, Aug 21, 2009.

Thread Status:
Not open for further replies.
  1. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Hi guys,

    As I understand Returnil keeps track of which sectors on disk change and reverts these changes after reboot? Yet, I have read certain rootkits and other malware can slip past this?

    I don't get how this is possible. A sector that has changed must be clearly detectable? The only way I can think of is that the rootkit compromises the kernel...

    Please elaborate on this:)
     
  2. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    Instant system recovery softwares use a filter driver which hooks disk driver and intercepts I/O request packets generated by IO Manager.
    A rootkit can bypass this, detaching filter device object, or hooking a lower level driver than disk.sys (such as atapi.sys) and make direct I/O instruction. There's also a technique presented at Xcon2008 conference, which penetrate ISR sending commands through IOCTL_XXX_PASS_THROUGH interface.

    Then there are bootkit...
     
  3. Jeroen1000

    Jeroen1000 Registered Member

    Joined:
    Aug 18, 2008
    Posts:
    162
    Thanks for your answer. This is my first encounter with software like Returnil really.

    Now I see one does indeed still need a virus scanner. Perhaps a big off topic question but a very important one to me (if you don't mind)

    Does Returnil also prevent the MFT from being updated:

    Suppose you save a few files on the desktop with Returnil system protection on. These files will get an entry in the MFT. Returnil will roll back the changes upon reboot, but will it also revert the MFT (and how)?

    From a privacy concern a lot of info leaks from the MFT and this would certainly put a lock on that door:)
     
  4. developers

    developers Registered Member

    Joined:
    Apr 1, 2009
    Posts:
    62
    If you examine the partition with a forensic tool, you can found your files saved with protection turned on, in unallocated cluster (link between MFT entry and cluster still exist), so you can recover them.
     
  5. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    One note here that all should be aware of; if you activate the cache wipe option, these same files will not be recoverable...

    Mike
     
Thread Status:
Not open for further replies.