Slashdot Mirror
Rootkit May Be Behind Windows Blue Screen
L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."
That's one way of forcing users to take care of an infection.
If a system has been rooted, nothing short of booting to another OS from a known clean media, mounting the disk read only, and scanning, is guaranteed to detect a root kit.
That'd make updates a real pain in the arse to install...
Need help treating your acne? Come here!
After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.
Well, actually no. Most rootkits either modify the permissions or patch critical system files that cannot be easily replaced, as this one does. It's designed to be stealthy -- so if you scan it, it will return a byte-for-byte copy of the original, which is kept elsewhere, while the operating system loads the infected one at boot.
Saying Microsoft is responsible for ensuring compatability with 3rd party software is ludicrious. This is like potholes -- while the government has a responsibility to patch the roads up so they remain drivable, cars are nonetheless designed with shocks and drivers are expected to watch for road hazards and avoid them as much as possible as well. It is a joint responsibility. Microsoft is not the sole responsible party here: The user shares the responsibility of ensuring the system has not been compromised.
#fuckbeta #iamslashdot #dicemustdie
Isn't one of the things a rootkit does is attempt to prevent detection?
How do you know that they don't try and match checksums, only the rootkit was returning the "correct" data in order to hide its presence? I mean, it is in the system file that handles reading data from hard drives, which sounds like the perfect place to put in code designed to stealth out the rootkit.
Not that I can get to the article ("Error establishing a database connection"), so I have no idea if that's the case, but it seems quite possible to me that if it's a rootkit, it's actively hiding from detection, which would seem to let Microsoft off the hook. Except for however the rootkit infected the machine in the first place.
You are in a maze of twisty little relative jumps, all alike.
That is BS and you know it.
The user installed the virus into their system by doing something stupid.
Its like blaming the US Government for letting businesses go over sea when you still shop at Walmart.
Your response is a cop out.
Your response is what is commonly known as 'blaming the victim.' Seriously, you can't imagine any other way for malware to get onto a system except user stupidity? I'd call that a failure on your part. You know, Windows fanbois remind me of battered women, explaining to others how they walked into a door or fell down some stairs. No you didn't, you let somebody beat the shit out of you and then covered it up.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
> Saying Microsoft is responsible for ensuring compatability with 3rd party software is ludicrious.
And saying Microsoft is responsible for ensuring compatibility with _malicious_ 3rd party software is even sillier.
If your system is screwed up by a rootkit, there is no way to 100% predict what could happen if you try to continue using it (including trying to install patches).
If the BSODs are only happening to rootkitted XP boxes then it's clearly not Microsoft's fault.
You know, it is far from easy to implement a "secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown" on a PC that has been rooted, unless you support this in hardware. And I can already hear the screaming and gnashing of teeth if some people, present company very much included, learned that PCs come with something like that.
I would certainly not be happy running hardware that I knew had something that I and no one I know could get into. And I can get into it, it's not that "trusted", is it?
No good deed goes unpunished...
As much as I hate defending MS, I can't help but doing it here.
A rootkit (and that is one) in a system means that you, being software running on that system, have no chance of detecting it, at least if it has done its homework. For the patcher, those checksums might even have been correct.
It also needn't be manipulated files. Windows, as any OS that has to allow low level drivers, allows you to load non-MS ring0 drivers. Like, say, Linux. It's either that or writing a device driver for every single pesky little controller out there. Do you think MS would do that? Or even do it well?
Now, you don't need drivers for hard drives themselves, but for their controllers. And spyware is quite keen on snuggling up to those controller and "filtering" the calls between them and the OS. Now, those spyware drivers are deemed part of the I/O system (for obvious reasons, they are part of the HD controller drivers as far the OS is concerned). If that driver cannot be loaded because that patch fixes a loophole the spyware used, the OS identifies that as a critical error in the HD controller driver and cannot access the hard drive anymore. BSOD.
The very same would probably happen in Linux, in BSD, in ... whatever Apple's OS is called, I forgot. You have a driver that is deemed critical by the system that fails to load.
If you want to blame anything on MS here, it's probably that this rootkit drivers could be installed in the first place. And I honestly don't know if it's MS to blame or the user. What should MS do if the user clicks "allow" on anything he gets asked? Take away control from the user? I doubt you'd like that.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Over 90% of current infections are due to social engineering (aka "user stupidity"). The rest is usually due to certain third party software from a company with a big A, usually a certain reader for a Pretty Dumb Format or a tool to make webpages flashy.
If it's blaming the victim to say that it's effing stupid to open attachments that are sent by "Lawyer" and titled "last reminder" or run "security patches" their bank sends them because else their account is closed immediately, then yes, I blame the victim. Stupidity is no excuse. And this behaviour is, bluntly, EFFING stupid!
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Checksums, 'nuff said...
Apps: Calc this for me...
rootkit: errrrrr.... ?
Apps: Busted, fscker! *and warns user*.
Here be signatures
Won't work. To take your analogy a bit farther...
The thief is the rootkit, you're the kernel, and the patch is the police.
The thief is already in, hiding behind the sofa with a gun pointed at your head. The officer knocks on your door and asks if you're being robbed. The answer is 'no'.
A rootkit can invade the lowest-level of the Virtual File System, so when a patcher running in user space asks for the checksum of the file it's about to patch, it gets a 'clean' result, even if the -real- file on the disk is something entirely different.
There are a lot of misconceptions about what rootkits really are. I encourage anyone to take a few hits of LSD and explain physics to me, or perform surgery on themselves while under the influence, that's about the closest thing I can compare to patching or rootkit detection on a system that's already compromised.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails