Rootkit May Be Behind Windows Blue Screen

L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."

Sounds like a good thing

That's one way of forcing users to take care of an infection.

Re:Sounds like a good thing

wireless has to be configured by the user, the HDD controller does not

Re:Sounds like a good thing

[Opportunist]

So I'd call that latest update a critical security fix. Install immediately!

Re:Sounds like a good thing

[Sleepy]

That's a strawman argument.
It's natural for security minded folks to "jab" at Microsoft (in a manner similar to how safety advocates "jab" at lead-painted Chinese toys).

On a SANE OS, rootkits can't be installed by regular users who are viewing a banner ad, or plugging in a storage device like a memory stick or USB picture frame.

Re:Sounds like a good thing

[cbhacking]

... unless you run with maximum permissions (root/Administrator). Vulnerabilities in Flashplayer are typically cross-platform; an exploit that works in Windows will work (after modification, but it will work) on Linux too. The difference usually just comes down to the degree of harm possible. Besides, while I don't know how this particular infection spreads, the odds are very good that it's a trojan... such things work quite nicely on *any* system where the user can get full permissions (almost everything except locked-down business machines) and doesn't know much about computer safety (the vast majority of non-Linux PC users, and some of the Linux users too).

In any case, stardard user accounts can't make changes like that. While EoP exploits may well exist, there are none I know of being used in the wild right now, and Microsoft takes patching them quite seriously. In any case, the specific OS version you're referring to is so old that it was designed for computers that listed their clock speeds in MHz and their hard disks in tens of GB. If it were *anybody* other than Microsoft, they wouldn't still be getting security updates at all!

Re:Sounds like a good thing

[Spy+der+Mann]

Yes, because Linux has no local privilege escalation vulnerabilities, right? This sane OS of yours, does it come with rainbow pooping unicorns too?

In a SANE OS, hackers NEED to escalate privileges to gain administrator privileges for their rogue processes.
In Windows, you ALREADY have administrator privileges! Right from the start!

Re:Sounds like a good thing

[ozmanjusri]

Vulnerabilities in Flashplayer are typically cross-platform; an exploit that works in Windows will work (after modification, but it will work) on Linux too.

Can you link to any actual exploits, not just those imagined by Microsoft's marketing department?

Ah, well, that lets Microsoft off the hook then

[Rogerborg]

After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.

If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.

Re:Ah, well, that lets Microsoft off the hook then

[Com2Kid]

After all, there's no way that their malware tool could have spotted it

If a system has been rooted, nothing short of booting to another OS from a known clean media, mounting the disk read only, and scanning, is guaranteed to detect a root kit.

That'd make updates a real pain in the arse to install...

Re:Ah, well, that lets Microsoft off the hook then

[girlintraining]

After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.

Well, actually no. Most rootkits either modify the permissions or patch critical system files that cannot be easily replaced, as this one does. It's designed to be stealthy -- so if you scan it, it will return a byte-for-byte copy of the original, which is kept elsewhere, while the operating system loads the infected one at boot.

Saying Microsoft is responsible for ensuring compatability with 3rd party software is ludicrious. This is like potholes -- while the government has a responsibility to patch the roads up so they remain drivable, cars are nonetheless designed with shocks and drivers are expected to watch for road hazards and avoid them as much as possible as well. It is a joint responsibility. Microsoft is not the sole responsible party here: The user shares the responsibility of ensuring the system has not been compromised.

Re:Ah, well, that lets Microsoft off the hook then

[_xeno_]

Isn't one of the things a rootkit does is attempt to prevent detection?

How do you know that they don't try and match checksums, only the rootkit was returning the "correct" data in order to hide its presence? I mean, it is in the system file that handles reading data from hard drives, which sounds like the perfect place to put in code designed to stealth out the rootkit.

Not that I can get to the article ("Error establishing a database connection"), so I have no idea if that's the case, but it seems quite possible to me that if it's a rootkit, it's actively hiding from detection, which would seem to let Microsoft off the hook. Except for however the rootkit infected the machine in the first place.

Re:Ah, well, that lets Microsoft off the hook then

[PIBM]

Scanning it does not even guarantee the detection of the root kit. I can see tons of useless scans a user could run ;)

Re:Ah, well, that lets Microsoft off the hook then

[ozmanjusri]

Im going to go with the user.

Of course.

They're the ones who paid for an OS that's about as secure as a colander, after all.

Re:Ah, well, that lets Microsoft off the hook then

[spun]

That is BS and you know it.

The user installed the virus into their system by doing something stupid.

Its like blaming the US Government for letting businesses go over sea when you still shop at Walmart.

Your response is a cop out.

Your response is what is commonly known as 'blaming the victim.' Seriously, you can't imagine any other way for malware to get onto a system except user stupidity? I'd call that a failure on your part. You know, Windows fanbois remind me of battered women, explaining to others how they walked into a door or fell down some stairs. No you didn't, you let somebody beat the shit out of you and then covered it up.

Re:Ah, well, that lets Microsoft off the hook then

[TheLink]

> Saying Microsoft is responsible for ensuring compatability with 3rd party software is ludicrious.

And saying Microsoft is responsible for ensuring compatibility with _malicious_ 3rd party software is even sillier.

If your system is screwed up by a rootkit, there is no way to 100% predict what could happen if you try to continue using it (including trying to install patches).

If the BSODs are only happening to rootkitted XP boxes then it's clearly not Microsoft's fault.

Re:Ah, well, that lets Microsoft off the hook then

[Tuidjy]

You know, it is far from easy to implement a "secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown" on a PC that has been rooted, unless you support this in hardware. And I can already hear the screaming and gnashing of teeth if some people, present company very much included, learned that PCs come with something like that.

I would certainly not be happy running hardware that I knew had something that I and no one I know could get into. And I can get into it, it's not that "trusted", is it?

Re:Ah, well, that lets Microsoft off the hook then

[Mister+Whirly]

And Linux fanbois remind me of a battered woman who cannot get her damn wireless card working for the life of her.

Re:Ah, well, that lets Microsoft off the hook then

[Opportunist]

As much as I hate defending MS, I can't help but doing it here.

A rootkit (and that is one) in a system means that you, being software running on that system, have no chance of detecting it, at least if it has done its homework. For the patcher, those checksums might even have been correct.

It also needn't be manipulated files. Windows, as any OS that has to allow low level drivers, allows you to load non-MS ring0 drivers. Like, say, Linux. It's either that or writing a device driver for every single pesky little controller out there. Do you think MS would do that? Or even do it well?

Now, you don't need drivers for hard drives themselves, but for their controllers. And spyware is quite keen on snuggling up to those controller and "filtering" the calls between them and the OS. Now, those spyware drivers are deemed part of the I/O system (for obvious reasons, they are part of the HD controller drivers as far the OS is concerned). If that driver cannot be loaded because that patch fixes a loophole the spyware used, the OS identifies that as a critical error in the HD controller driver and cannot access the hard drive anymore. BSOD.

The very same would probably happen in Linux, in BSD, in ... whatever Apple's OS is called, I forgot. You have a driver that is deemed critical by the system that fails to load.

If you want to blame anything on MS here, it's probably that this rootkit drivers could be installed in the first place. And I honestly don't know if it's MS to blame or the user. What should MS do if the user clicks "allow" on anything he gets asked? Take away control from the user? I doubt you'd like that.

Re:Ah, well, that lets Microsoft off the hook then

[Opportunist]

Over 90% of current infections are due to social engineering (aka "user stupidity"). The rest is usually due to certain third party software from a company with a big A, usually a certain reader for a Pretty Dumb Format or a tool to make webpages flashy.

If it's blaming the victim to say that it's effing stupid to open attachments that are sent by "Lawyer" and titled "last reminder" or run "security patches" their bank sends them because else their account is closed immediately, then yes, I blame the victim. Stupidity is no excuse. And this behaviour is, bluntly, EFFING stupid!

Re:Ah, well, that lets Microsoft off the hook then

[V!NCENT]

Do you?

Re:Ah, well, that lets Microsoft off the hook then

[plague3106]

You pay with your time having to support the damned thing. Yup, I left linux because it was too much trouble keeping it going and I wasn't able to get done what I actually wanted to get done. I now happily pay for Windows, and have never had a virus.

Re:Ah, well, that lets Microsoft off the hook then

[Opportunist]

The only data I have on this matter is still under an NDA, so I can as well have none. But you are invited to draw your own sample. Take every infector you can get your hands on and check what way they use to get onto the machine.

And yes, 90% is not 100%. Still it means that the chance to be infected provided you know what you're doing is 1/10th of that if you don't. While this does not immediately translate to 9 out of 10 infected machines being infected because the user sitting in front of it is unable to defend against social engineering infection routes, it still means that you are about ten times as likely to catch something if you are not able to use your computer in a safe way.

There's a story in the firehose currently about an interesting incident that showcases the problem quite well. A blogging page had a huge problem: They appeared as the first Google search result for "facebook login". The result was stunning! Their comment section was swamped by angry people complaining that they cannot log into their facebook account. They did not check the URL, the did not even bother realizing that the webpage looks completely different.

Could you see how a malicious attacker could try to get the first spot for search terms containing paypal or amazon, and set up a fake page there to lure people into logging in?

Yet again, I would call it user stupidity if this happens. Or rather, the inability to use the tools sensibly. Getting conned even if you're smart and cautious because someone is smarter is one thing. Getting conned because you're using something and have not the foggiest idea what you're doing is something completely different.

Re:Ah, well, that lets Microsoft off the hook then

[Z34107]

A Windows PE disc (meaning any Server 2008/Vista or newer Windows disc) is very nice for this. Shift+F10 will bring a command prompt; bootsect will let you restore an XP or Vista boot sector.

Chkdsk breaks a lot of rootkits - they break the file system and chkdsk removes them.

Another fun trick: Make an image of the disk with ImageX from the Windows AIK. Then immediately restore the image onto your disk. ImageX is file based, and the rootkits do their best to hide, so they're missed when the image is gathered.

But by that point, it's faster/safter to do a clean install Q.Q

SFC Find It?

[ircmaxell]

Will the windows SFC (System File Checker) tool find this altered file?

That does not matter.

[khasim]

ANY company replacing files on your drive should be checking to make sure that those are the exact files that it wants to replace.

If there's any difference in the files the installer should exit with a nice error message AND LEAVE EVERYTHING THE FUCKING SAME WAY IT FOUND IT.

Yes, this was from a virus/trojan/worm/whatever. Who cares? It could just as easily have been a custom file for custom hardware.

Re:That does not matter.

The issue appears to be the result of an infected driver relying on some internal bits of the kernel that were patched. It's actually the author of the software that infected the driver that's causing the problem.

The infected driver was _NOT_ part of the Windows update and the update had no dependency on that driver.

This is not Microsoft's fault.

While I'm all for free speech, I do prefer that the speaker have some soft of expertise on the topic.

Re:That does not matter.

[anamin]

And what happens when the rootkit bypasses the operating system access to that file and returns the expected results? This is a rootkit after all.

Re:That does not matter.

[Opportunist]

And HOW exactly should they check if the system has been infected by a rootkit that shows the patcher a file that matches the checksum?

Re:That does not matter.

[V!NCENT]

Checksums, 'nuff said...

Apps: Calc this for me...

rootkit: errrrrr.... ?

Apps: Busted, fscker! *and warns user*.

Re:That does not matter.

[MarcQuadra]

Won't work. To take your analogy a bit farther...

The thief is the rootkit, you're the kernel, and the patch is the police.

The thief is already in, hiding behind the sofa with a gun pointed at your head. The officer knocks on your door and asks if you're being robbed. The answer is 'no'.

A rootkit can invade the lowest-level of the Virtual File System, so when a patcher running in user space asks for the checksum of the file it's about to patch, it gets a 'clean' result, even if the -real- file on the disk is something entirely different.

There are a lot of misconceptions about what rootkits really are. I encourage anyone to take a few hits of LSD and explain physics to me, or perform surgery on themselves while under the influence, that's about the closest thing I can compare to patching or rootkit detection on a system that's already compromised.

Re:That does not matter.

It seems you don't really grasp the concept of a rootkit.
You are not asking the burglar, you are asking the owner and he'll state that the burglar is supposed to be running around in his house - because he is being controlled by a rootkit.

The rootkit intercepts system calls/api calls/etc and makes sure that e.g. calculating a checksum of the file will yield exactly the results you'd expect from the real file.

Re:M$ at root of problem...but wont admit

[e2d2]

Do you have any evidence or are you just spouting off bullshit? No need to answer, it's a rhetorical question.

Seriously though, guys/girls like yourself need to get a fucking grip. When you say "M$" you sound like a tool. When you cry foul when there is none you sound like a tool. When you make baseless accusations against someone because they are trying to inform people of a potential rootkit problem you sound like a tool.

Summary: You sound like a tool and people won't listen. So any future complaint or criticism, however legitimate, will simply be ignored.

Re:I'm in favor of requiring Internet User's Licen

[hairyfeet]

Because ANY law WILL be abused, full stop. You make it so everyone has to have an "Internet License" and no longer can posts anon, you know what you will get? "Oh you posted something mean! don't you remember the Myspace suicide girl? No net for you!" "How dare you speak out against dear leader! Don't you support our troops? No net for you!"

If you passed crap like that pretty soon the entire net would be nothing but the Home Shopping network. "Gee isn't product X swell? It sure is Biff!" because you won't dare say anything that could get your driver's license revoked. The problem with comparing the Internet to IRL is that it isn't real folks. It is easy to show some guy had a BAC equal to falling down drunk and was doing 80 in a 30 and needs his license revoked.

But with the Internet the "rules" would end up getting written by politicians pandering to the PC police and every interest group with a checkbook. The "think of teh childrenz!" groups alone would try to turn everything into Mr. Rogers while the bible thumpers would want everything to be Jesusland, and of course the Scientology nuts would have your license for daring to even THINK the word Xenu. yeah, no thanks, I'll stick with what we got now, thanks anyway. I haven't seen a bug since 98, and working PC repair I can say you just can't fix stupid.