Slashdot Mirror
Rootkit May Be Behind Windows Blue Screen
L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."
I've performed a forensic analysis on numerous Windows machines and have discovered rootkits that have lived on machines undetected for up to two years even though they were up to date on patches and AntiVirus defs. In fact one of the rootkits was unknown until I discovered it and sent a copy to threatexpert and virustotal.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
I'm not sure it'd be such a pain. Windows already demands to restart after critical updates anyway. Couldn't it throw a flag to boot from a secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown, then use that to mount the disk as read-only and install updates? You could call it Microsoft SafeUpdate, part of the Trusted Computing Initiative. Heck, make the secondary partition an SSD, give the hardware manufacturers a reason to get behind it.
No kidding!!! What do you say at this point?
Apply this patch to see if the machine is infected by some seemingly-unrelated rootkit.
I'm not sure it'd be such a pain. Windows already demands to restart after critical updates anyway. Couldn't it throw a flag to boot from a secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown, then use that to mount the disk as read-only and install updates? You could call it Microsoft SafeUpdate, part of the Trusted Computing Initiative. Heck, make the secondary partition an SSD, give the hardware manufacturers a reason to get behind it.
RootKit() {
if ( RecoveryPartitionPresent() == 1 ) {
WriteRandomShit(RecoveryPartition);
}
}
Uh... maybe they were fixing the loophole the spyware used to dig itself into the system? The fix plugged the hole, the (declared as system critical) spyware driver could not load, poof, BSOD.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yes, this was from a virus/trojan/worm/whatever. Who cares? It could just as easily have been a custom file for custom hardware.
You don't know how rootkits work, do you?
It may not be possible to detect differences in a compromised file on a rooted system, because the rootkit will respond to requests with the original file's information.
So, for all we know, Microsoft did check the file before replacing it, but the rootkit told the OS it was unmodified.
People will pass up steak once a week, for crap every day.
The comments here suggest ideally using a bootable CD to scan the drive, but what exactly should one use?
That's not strictly true. There are user-mode rootkits, though these are much less nefarious than their kernel-mode brethren. Still, they have the ability to gain total control over pretty much everything you do in the context of your user account. Granted it doesn't totally hose your machine, but it can still cause damage.
//Microsoft Employee here//
Check out Microsoft Security Essentials if you work with customers computers.
http://www.microsoft.com/Security_Essentials/
It is 100% free and has gotten favorable reviews. It is also very minimalist in design and simple to understand by non-technical people.
http://www.pcmag.com/article2/0,2817,2353447,00.asp