Persistent Malware: Microsoft’s System Restore feature

I originally published this blog at http://community.ca.com/blogs/securityadvisor

November 05 2008, 10:33 AM         by         Benjamin Googins

Have you tried removing malware, but it just won’t go away?  When you run an anti-malware scan, are the results puzzling? Does your anti-malware product tell you malware was detected in the folder “System Volume Information”, but it can’t be removed?  It is quite possible you are having trouble with System Restore.  Malware detected in a System Restore snapshot can give you a false sense of insecurity.  To understand the problem your anti-malware product is having with System Restore and possible solutions, we first need to understand what System Restore is and what it does.

What is System Restore 

System Restore is a handy feature included in Windows Me, Windows XP and Windows Vista operating systems.  System Restore basically works like the “undo” button you use in various programs that allows you to undo a deleted paragraph, for example.  System Restore acts in much the same way, but on a larger scale — it allows you to bring back a previous computer state including system files, registry keys, installed programs and other elements of your computer system.

Unfortunately, System Restore also saves copies of viruses, malware, spyware, adware and trojans when it takes a snapshot.  System Restore takes snapshots of your computer system and stores them at “C:\System Volume Information”.  To learn more about System Restore and how to use it go here: http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/systemrestore.mspx and here http://en.wikipedia.org/wiki/System_Restore.  Here is a screenshot of what the System Restore interface looks like:

You will see that there is a calendar with some darkened dates.  The darkened dates indicate times when a snapshot of your system was taken.

Understanding the problem 

So how do you know if your anti-malware product detected an archived version of malware in System Restore?  Above, we saw that System Restore can be a very helpful feature.  Unfortunately, it causes problems for anti-malware products and can confuse computer users.  When System Restore takes a snapshot of your system, it indiscriminately saves any new files and programs, good or bad — including viruses, worms, spyware, etc.  This means that not only is your current computer state infected, but now System Restore has taken a snapshot of that infection and saved it in a special folder located here: “C:\System Volume Information” (“C:” is the most common directory, on your computer it could be a different letter).  If your anti-malware product reports it identified a threat in this folder (or subfolder), but can’t remove it, you have an infected System Restore snapshot.  Unfortunately, sometimes anti-malware products have a hard time removing these “snapshotted” System Restore infections.

How does this problem develop?

Let’s take a look at a likely, fictitious timeline of events:

  • October 27th: You are browsing the Internet and your computer becomes infected with the malware Win32/FakeAlert.
  • October 28th: The infection triggers System Restore to take a snapshot of your system.  Included in the snapshot is a copy of the Win32/FakeAlert malware.  The snapshot is packed up and stored at “C:\System Volume Information”
  • October 29th: Your anti-malware product scans and removes the Win32/FakeAlert malware from the active sections of your computer.  It is able to detect the infection archived in the System Restore snapshot taken on Oct. 28th and stored in the directory “C:\System Volume Information”, but is unable to remove the infection.

This is an all too common scenario.  Here is what it looks like when CA Anti-Virus detects malware in System Restore:

In this image, you will see two infections found.  The original copies of these two infections have already been removed from the computer on October 29th. Any of the archived files listed in the “C:\System Volume Information” folder are not actively running on your system and are not causing harm.  The only way these infections can cause harm is by restoring your computer to a previous date that included these malware (in this scenario, by restoring to October 28th).  If you don’t restore your computer to an infected state, archived infections found in “C:\System Volume Information” cannot not cause harm.

Solutions 

Before looking at solutions for this problem, be sure what you are experiencing is actually the System Restore problem I talk about above.  I already covered this, but lets be sure we are on the same page.  1) Conduct a complete scan of your computer with your anti-malware product.  2) Look over the results.  3) Delete everything that is bad.  Was your anti-malware product unable to delete malware located in the “C:\System Volume Information” folder?  Yes?

Here are some options ranging from super easy to more challenging.

Option 1: Ignore the problem for now.  Time required: Zero seconds.  The only action this option requires is for you to ignore the scan results.  Pros: Requires no time.  Little computer knowledge needed.  Your anti-malware may be able to eventually delete the malware from the System Restore snapshot.  Cons: The System Restore snapshot continues to contain the inactive malware.  If you ever use System Restore to revert to that snapshot, the malware will be reintroduced to your system.  You are bothered every time your anti-malware scans with having to mentally ignore that particular detection.

Option 2: Delete all System Restore snapshots and scan your system.  Time required: less than 5 minutes.  By deleting all System Restore snapshots, the malware will also be deleted from your computer.  Pros: Quick.  Little computer expertise required.  Infected System Restore snapshots and the malware they contain are removed from your computer.  Cons: This option is analogous to using a hatchet when a scalpel will do.  By deleting all snapshots, you are also removing the possibility of restoring your computer to any of the deleted restore points.  This would only be a problem if you plan to use any of the restore points.  Note: be sure System Restore is turned back on if you use this option, so your computer can create new restore points in the future.

To utilize this option, go to a webpage our research team has prepared and follow the instructions there (note: turning off System Restore results in the deletion of snapshots): http://www.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=49579

Option 3: Surgically clean all restore points containing infections.  Time required: 15 minutes, but probably a lot more depending on computer experience level and the number of restore points containing malware.  Pros: If you need to restore your computer to an infected state, this is your option.  This is the most thorough option.  This option leaves in tact your current system state, as well as cleans up restore points containing malware.  This option allows you to utilize all of the restore points currently on your system.  Cons:  This option requires patience and strong basic computer skills.  It will require you to reboot your computer and follow a set of steps multiple times depending on the number of restore points containing infections.  It is possible this option will not work for all cases.

For this option I am going to refer you to a webpage prepared by Microsoft, here: http://support.microsoft.com/kb/831829

Conclusion

The point of this blog post is to educate and reduce the insecurity System Restore inadvertently introduces to you when running your anti-malware product.  Like most good-intentioned technology, there are inevitable negative unforeseen consequences.  System Restore takes snapshots of your system, so you can “undo” significant changes to your system components – allowing you to restore old programs, registry keys, system files, etc.  Overwhelmingly, this is a good thing.  The solutions include doing nothing, deleting all restore points, and pulling out your computer scalpel and doing surgery.  You know your computer skills, free-time, and needs – use the options above as appropriate.

*Microsoft product screen shot(s) reprinted with permission from Microsoft Corporation.

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

1 person has left a comment:

Background We first started seeing copies of “AntiVirus 2009” about two weeks ago. Last week our Support

Posted by:                             CA Security Advisor Research Blog |                             November 10, 2008 2:53 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s