Slashdot Mirror
Rootkit May Be Behind Windows Blue Screen
L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."
That's one way of forcing users to take care of an infection.
After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.
If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.
If you were blocking sigs, you wouldn't have to read this.
Will the windows SFC (System File Checker) tool find this altered file?
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
I have had to replace atapi.sys after doing offline scans of an infected systems' drives. Usually easy enough to copy it off a work system.
That blog is slashdotted. Who has a mirror?
ATAPI is an ATA driver for things that are NOT hard drive (think CDROM drives, floppy, etc).
is that Microsoft's best solution was to boot into the recovery console and uninstall the patches. This put the rootkit back in business. Where is "trustworthy computing"?
The infected PC is unusable or it will be restored to a clean state. Either way it won't be spamming or participating DDOS attacks, etc.
Better known as 318230.
I've performed a forensic analysis on numerous Windows machines and have discovered rootkits that have lived on machines undetected for up to two years even though they were up to date on patches and AntiVirus defs. In fact one of the rootkits was unknown until I discovered it and sent a copy to threatexpert and virustotal.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
I fix computers for a living... started seeing this a few months ago. I just installed Avast! and removed the rootkit... presto, problem solved.
...my XP box didn't crash on reboot after applying these latest updates.
I was hit by this yesterday -- boy everything runs faster after a clean install!
The interesting part is that I already had the latest Windows Updates, but the blue screens arrived following a successful infection targeting the OLD kernel. How long until the TDSS/etc. makers update their pointers? I kindof prefer the attack that leaves a dead system instead of a quiet zombie...
Scanned the drive in another machine and it detected atapi.sys as having a trojan. I restored it from /i386 and it came right up. I never thought it was connectd with the xp problems. Microsoft didn't do a evil thing who would have knew.
Next time you might consider doing some backwards compatibility testing with popular rootkits, yes? Just a free tip Microsoft!
Does this mean Microsoft is going to have to support and test malware and remain bug-for-bug compatible to avoid bad press in future? That'd be awesome... "we can't accept this fix, it's not compatible with the great zombie bot of '10".
Here's a link to the report from VirusTotal when you upload an infected atapi.sys.
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529
The whole moon and the entire sky are reflected in one dewdrop on the grass. - Dogen
Did you copy the file after mounting the drive on an uninfected machine, or did you just copy from the infected machine?
In other words, since about half of the AV programs (including Microsoft's!) can find this rootkit, if it's possible to detect on the infected machine, then the users are double idiots for (a) downloading and installing a virus, and (b) not having a decent AV program to detect and remove it.
Comment removed based on user account deletion
Link seems to be down. Already /. ?
Apply this patch to see if the machine is infected by some seemingly-unrelated rootkit.
If you don't even have the strength of conviction to post with your name on it, I think that you should be denied issuance of your proposed Internet license.
And by the the way, "Internet" should be capitalized.
This ain't rocket surgery.
"Yes, our security update crashed your computer. We hope you enjoyed our anti-rootkit feature."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I've seen this Tdss-rootkit on many machines. Usually it infects a disk driver like atapi.sys or iastor.sys. Typically an infected machine will boot in normal mode, but NOT in safe mode (blue screens). If Windows will boot, running ComboFix has removed the rootkit for me every time. The author of ComboFix is a genius.
ANY company replacing files on your drive should be checking to make sure that those are the exact files that it wants to replace.
If there's any difference in the files the installer should exit with a nice error message AND LEAVE EVERYTHING THE FUCKING SAME WAY IT FOUND IT.
Yes, this was from a virus/trojan/worm/whatever. Who cares? It could just as easily have been a custom file for custom hardware.
If you know the behavior of rootkit X version Y, it is usually possible to write a tool that specifically disables X version Y without resorting to a known-good-media boot.
However, it may be useless against rootkit X version anything-but-Y.
This is most useful for rootkits that either aren't stealthy enough or which are associated with non-stealthy viruses.
If the rootkit is sufficiently stealthy, the end user may never suspect he has a problem.
The moral of the story: If you are a malware writer and want your code to be undetected, stay below the radar and don't do anything to attract attention to yourself.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.
If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.
Microsoft does detect it - and has since last October.
File atapi.sys received on 2010.02.11 21:58:49 (UTC)
Virus:Win32/Alureon.A
Updated: Dec 07, 2009
Aliases:
Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)
Encyclopedia entry
Updated: Dec 07, 2009 | Published: Dec 02, 2009
Aliases
Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)
Alert Level
Severe
Detection initially created:
Definition: 1.69.77.0
Released: Oct 23, 2009
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s). When the infecting trojan is run, it infects a system driver, usually 'atapi.sys'. It has also been observed to infect 'iastor.sys' but other system drivers may also be targeted. The system driver detected as Virus:Win32/Alureon.A is infected by the addition of code, whose function is to load a part of the Alureon rootkit. The Alureon rootkit is a component that gives Alureon the ability to avoid detection; it is created by the same Alureon trojan that infects the system driver. The rootkit loaded by Virus:Win32/Alureon.A has the ability to avoid behavior blockers, which allows it to perform its malicious routines uninterrupted. It can also hide files and disk sectors.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials... . Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary
Comment removed based on user account deletion
But when taken with Microsoft's entire approach, no.
Microsoft has always chosen "ease of use" over security. And then their licenses are constructed so that a large segment of the machines out there don't even have clean-bootable media to resolve issues like this.
In your pot hole analogy, Microsoft didn't build the road ... and then then pot holes appeared. Microsoft built the road with the holes ... and then even more appeared and they're doing nothing to mitigate the situation and they're still building the roads the same way.
I run a small computer repair shop, and we first started seeing this ATAPI.SYS virus a few weeks ago. When I would submit it to VirusTotal, it would always come back as clean on every single virus scanning engine - but I could tell it was infected. I even had a computer in here just yesterday which had the infected ATAPI.SYS file, yet it was not detected as such - even when the hard drive was mounted as a secondary drive in another system and scanned with several up-to-date antivirus programs.
The virus itself is actually quite a clever little beast. After infecting the file, it sets the file modification time back to the original date & time, which makes it hard to tell that it's been modified. Also, I've noticed that the byte counts between infected and non-infected versions of the file are almost always identical. But to do that, it appears to be injecting its code into the area normally used to store the file version information. The upshot is, if you check the file properties and there's no file version information (the Version tab under XP or the Details tab under Vista/Win7), there's a good chance the file is infected.
I have not had any computers come in to the shop with the BSOD mentioned in the articles yet, but I'm expecting them at any time...
Rootkit? I don't see it. Maybe it's because this damn blue screen is blocking my view.
The game.
Mommy, the root kit did it!
Wish I had mod points.
I have no idea why you get modded Flamebait, maybe because you dared to suggest something that "takes away freedoms".
Bluntly, if anything it might save our freedoms. Because, well, do you think our politicians will not use the rampart spreading infections to spin? "You cannot take care of your computer, therefore we have to limit your ability to install stuff. Only approved applications may run anymore and that way no spyware can infect your machines. And only machines that adhere to this standard may join the internet".
Watch the sheeple cheer. Yay! Finally safe and protected from those evil malware infections!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Do you have any evidence or are you just spouting off bullshit? No need to answer, it's a rhetorical question.
Seriously though, guys/girls like yourself need to get a fucking grip. When you say "M$" you sound like a tool. When you cry foul when there is none you sound like a tool. When you make baseless accusations against someone because they are trying to inform people of a potential rootkit problem you sound like a tool.
Summary: You sound like a tool and people won't listen. So any future complaint or criticism, however legitimate, will simply be ignored.
atapi.sys isn't the file that is patched, it's the file with the rootkit in it.
You're saying MS should have checked atapi.sys before replacing another file? How many files does it need to check before changing a system file? This rootkit is calling into other DLLs in a way that is designed to bypass safety measures, is it a wonder MS' safety measures don't prevent it?
If you learn one thing, learn this. MS doesn't patch files with their updates. They only replace them. So this can't be a case of a patch (offset or context) going awry.
MS does put a lot into their anti-malware activities. It's just it isn't in their 8 year old OS. When you redesign a system, sometimes you can't backpatch it into older stuff. If you ran the newest OS, you would have been protected from this particular malware.
http://lkml.org/lkml/2005/8/20/95
The comments here suggest ideally using a bootable CD to scan the drive, but what exactly should one use?
If you don't even have the strength of conviction to post with your name on it, I think that you should be denied issuance of your proposed Internet license.
And by the the way, "Internet" should be capitalized.
FOAD
Several weeks ago, I worked on a PC that was probably infected after doing a few Google Image Searches or browsing DeviantArt or something of that nature. I tried multiple virus/malware programs (AVG, Avast, Adaware, MalwareBytes, Spybot). I thought I got rid of the infection...then a Windows Update caused her computer to blue screen on boot.
My solution?
http://www.ubuntu.com/GetUbuntu/download
:(){
The problem isn't that Microsoft needs to insure compatibility with third party software. It is the fact that they allowed someone to modify their core OS system in this way to begin with. The world has the development and technology to make the OS at that level "tamper proof" but why hasn't been done yet?
I'll tell you what: If Microsoft wants to enforce WGA and other validation schemes then they should at least make sure there isn't something else running around the kernel. At this point too many users can't tell the difference between WGA and some kit where if they aren't going to provide some validation of the running software then what is the real difference between their "service" and malware?
Why doesn't Microsoft Support make available a downloadable ISO (or a program that creates one) of a bootable CD. After burning, that CD would contain a minimal operating system, something like System File Checker, and the name, path, and hash of every current system file for the OS to be tested.
Users would boot from that Microsoft-provided CD and let it diagnose their system. Files failing the hash would be noted and reported to the user who might then be offered the opportunity to download known good copies directly from Microsoft. A simple installer would place the good files where they belong and then allow the user to re-boot from his now clean hard drive.
Does this already exist and I've just missed knowing about it? I know that I'd use it if I had one. And not just for infestations, as it would also be very useful for repairing file corruption from degrading disk drives.
Now look at what the ideal "best practices" would be for an OS.
Then look at Windows 2000 (all versions). How did that differ from the "best practices".
Now look at every version since. In theory, each version SHOULD be getting closer to "best practices".
In reality, Microsoft has done nothing to improve the security of their systems. Even though they've had 20+ years of real world data about how their systems are cracked.
Your computer is more secure now. You're welcome. -Microsoft
When you bitch about people having nicknames for MS, you sound like a tool.
ORLY? News to me.
I have just repaired TWO computers with this rootkit infection. Both are XP Pro machines made by DELL.
What I did was simply do a repair installation onto the OS. This requires the XP Pro CD OEM (the kind where you can boot into recovery console).
I did the automatic repair install. Got into the desktop and managed to install Malware Bytes onto both machines. I also updated Malwarebytes. Then I did a full scan of the PC, and eventually the program managed to find numerous infected files on the PC. They all had the same trojan: Vundo, among other ones.
After removal, both PCs functioned normally and was able to run a full batch of Windows XP updates, including SP3.
Previewing comments are for sissies!
I'm tossing in this idea reloading SP3 may be a proper starting point.
>When you make baseless accusations
12 years of software development and tech support with windows,
what have you got under your belt???
>So any future complaint or criticism, however legitimate, will simply be ignored.
Maybe by an ignorant man such as yourself, but I know the vb.net community I am in,
regards what I have to say with a little more respect, but then again, they might just all be tools too.
>ORLY :P
People that abbreviate are such tools, but then again so am I
How much damage will have to occur before that point? I feel like we've been at Sept 10th for awhile in terms of information security.
What is going to happen after that damage occurs??
(since TFA appears down at this time)..
http://isc.sans.org.nyud.net/diary.html?storyid=8209
http://forums.malwarebytes.org.nyud.net/index.php?showtopic=39655
http://www.wilderssecurity.com.nyud.net/showthread.php?p=1622432
http://www.prevx.com.nyud.net/blog/139/Tdss-rootkit-silently-owns-the-net.html
boycott slashdot February 10th - 17th check out: altSlashdot.org
Today, here in France we have received this email from our Microsoft account manager:
I would like to inform you that Microsoft Support has received several calls about issues (STOP 0x7E) after applying MS10-015.
Affected PCs appear to be DELL systems with Windows XP.
We are researching the root cause of these issues. The solution to recover from this issue is to remove the update from the recovery console of Windows XP.
Microsoft recommendation is still to deploy MS10-015 bulletin.
- If you have to deploy this update on DELL system with Windows XP, I suggest checking its installation in testing environment.
- If you decide to postpone its deployment, I encourage you to use the workaround from the MS10-015 bulletin: disable the NTVDM subsystem for preventing 16-bit applications to run.
Cut the crap.
Because ANY law WILL be abused, full stop. You make it so everyone has to have an "Internet License" and no longer can posts anon, you know what you will get? "Oh you posted something mean! don't you remember the Myspace suicide girl? No net for you!" "How dare you speak out against dear leader! Don't you support our troops? No net for you!"
If you passed crap like that pretty soon the entire net would be nothing but the Home Shopping network. "Gee isn't product X swell? It sure is Biff!" because you won't dare say anything that could get your driver's license revoked. The problem with comparing the Internet to IRL is that it isn't real folks. It is easy to show some guy had a BAC equal to falling down drunk and was doing 80 in a 30 and needs his license revoked.
But with the Internet the "rules" would end up getting written by politicians pandering to the PC police and every interest group with a checkbook. The "think of teh childrenz!" groups alone would try to turn everything into Mr. Rogers while the bible thumpers would want everything to be Jesusland, and of course the Scientology nuts would have your license for daring to even THINK the word Xenu. yeah, no thanks, I'll stick with what we got now, thanks anyway. I haven't seen a bug since 98, and working PC repair I can say you just can't fix stupid.
ACs don't waste your time replying, your posts are never seen by me.
I have seen people claim 7 years of Windows support experience, when in reality, they have played World of Warcraft since beta. Same with people who claim years of programming experience, and in reality they just have done basic HTML coding and writing their blog since 2000.
Want to state something that may make people actually believe you? Lay the MCSD/MCSE/MSITP creds out. Certs don't mean an admin is good (we all have seen the paper CNA/MCSE), but it means someone has actually seen the OS in question and actually knew enough to respond to the right answers in a test situation. Certs also mean your boss's boss (who doesn't know you, doesn't know your work) has reason to keep you and even promote or give you a raise.
http://slashdot.org/comments.pl?sid=1546966&cid=31115634
"When information is power, privacy is freedom" - Jah-Wren Ryel
No soup for you!"
FTFY
No, actually it doesn't. That's because it's impossible to make it "tamper proof".
Come up with any protection mechanism you'd like. As long as the computer still turns on, malware can infect it.
Yea, I'd suggest that MS add detection and removal for this rootkit to the MSRT.
It's already there.
Malware Families Cleaned by the Malacious Software Removal Tool [June 05 to date], Win32/Alureon [Updated Jan 5]
The rootkit hasn't forgotten the old folks still on dial-up:
If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as Win32/Alureon may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes Win32/Alureon backs up the infected dial-up configuration file to:
%allusersprofile%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak
The latest addition to the list is Pushbot [Jan 27]
Using backdoor functionality Win32/Pushbot can be ordered to spread via MSN Messenger by a remote attacker. It sends a message to all of the infected user's contacts. Some variants may also spread using other instant messaging programs, such as AIM.
The worm can be ordered to send messages, which can contain URLs pointing to a remotely hosted copy of itself. The message may be provided by the controller via the IRC backdoor. Some variants of Win32/Pushbot may also spread by copying themselves to removable drives (other than A: or B:, such as USB memory keys) Some variants may be ordered to spread by copying themselves to the shared directories of various peer-to-peer file sharing programs, using filenames such as the following: KEY-GEN Adobe PhotoShop CS3.exe.
Some variants instead may attach a zipped copy of themselves to the [IM] message and/or randomly choose messages from a provided list. As an example, some variants use the following messages:
WoW? is that really you... what the hell where you drinking
LOL, you look so ugly in this picture, no joke...
Should I put this on facebook/myspace?
Hey m8, who is this on the right, in this picture...
Sup, seen the pictures from the other night?
Why worry about the anon posting, trolls, etc. for a license? How about we simply concentrate on people being able to reasonably maintain their own computers, behave rationally when they receive email from someone unknown to them, and other items that should be fucking common sense at this point. Twenty years ago there were smart people sitting in front of dumb terminals, now the roles have reversed.
The first time I came up against a TDSS infection it was incredibly hard to deal with. Then I learned a little trick to disable the thing:
This information is from about 1 year ago, however. I haven't looked at any current variants, so they might be quite different. Nevertheless, the technique of installing as a device driver was novel to me at the time, and may still be used. Just as with autorun entries, check your Non-Plug and Play devices. If you see something with a name that looks randomly generated or otherwise suspicious, you might want to disable it.
Or did Patrick Barnes server crash because of this bug? /. his website out of existence?
I did access Patrick Barnes webpage earlier in this week, but today Friday February 12, 2010 there is no server and IP address to connect to. Any word from Patrick Barnes from other than his website? Did we
I read his webpage and he did put a solution on his webapge to detect and fix this but now the webpage is gone and now I wonder what happened to it.
Caught that myself yesterday. http://aria.blogs.theinternetco.net/2010/02/11/kb977165-causes-a-blue-screen/
Fix BSOD or buy W7 seems to be my choice. A service call for $XX or pay Wally World $118.72 for Win7, either is a lot less scary than a free Linux CD.
This rootkit may be way more cost effective than another stupid M$ TV commercial
Because you are trying to think rationally dude, and the ones writing the laws don't actually do that anymore. if they did we wouldn't have eternal copyrights and you wouldn't be looking at PMITA prison for looking at Hentai or a Lisa Simpson cartoon.
Today is all about pandering or corruption, and since I can see many corps shelling out good money to write Internet Licenses legislation, that leaves pandering to the blue hairs, the bible thumpers, and the other fringe groups that make up the base. So you would have knee jerk politicians adding removal of your license for "cyber bullying" and the religious adding removal for defamation of their beliefs, and of course Scientology would ban Xenu once and for all.
I mean seriously dude, when was the last time you saw a law that wasn't either a blatant kickback or pandering bullshit? The Internet is one of the last places where you can speak your mind and be heard by a wide audience. There are too many jack boot lovers that would just love ANY excuse to stop those that are different from them or don't support their dogma. Let us not give them rope to hang us with, okay?
ACs don't waste your time replying, your posts are never seen by me.
I had similiar problem few months ago (october 2009) with the same error causing windows to BSOD with atapi.sys...I didn't even think that this could be because of rootkit infection..Firstly i've removed the CD-ROM/IDE because of atapi.sys, but BSOD was still present, then i changed motherboard with new one, but there was still BSOD arround, finaly i change hard disk with clean installation and BSOD has gone..
If you want a system thats totally locked down and doesn't let you do ANYTHING remotely useful then go buy an iPad. Else don't go live on the internet when logged on with Administrator privilages. Basic security principles! That way the bad boy dodgy software can't install itself.