Rootkit May Be Behind Windows Blue Screen

L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."

No surprise if true

[al0ha]

I've performed a forensic analysis on numerous Windows machines and have discovered rootkits that have lived on machines undetected for up to two years even though they were up to date on patches and AntiVirus defs. In fact one of the rootkits was unknown until I discovered it and sent a copy to threatexpert and virustotal.

Re:No surprise if true

[Lifyre]

Is there currently a set of programs that does this in some automated fashion that will generate a list of discrepencies to parse through?

Re:Sounds like a good thing

[Opportunist]

Uh... maybe they were fixing the loophole the spyware used to dig itself into the system? The fix plugged the hole, the (declared as system critical) spyware driver could not load, poof, BSOD.

Re:That does not matter.

[Cl1mh4224rd]

Yes, this was from a virus/trojan/worm/whatever. Who cares? It could just as easily have been a custom file for custom hardware.

You don't know how rootkits work, do you?

It may not be possible to detect differences in a compromised file on a rooted system, because the rootkit will respond to requests with the original file's information.

So, for all we know, Microsoft did check the file before replacing it, but the rootkit told the OS it was unmodified.