Slashdot Mirror
Rootkit May Be Behind Windows Blue Screen
L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."
That's one way of forcing users to take care of an infection.
After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.
If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.
If you were blocking sigs, you wouldn't have to read this.
Will the windows SFC (System File Checker) tool find this altered file?
If a man isn't willing to take some risk for his opinions, either his opinions are no good or he's no good
I've performed a forensic analysis on numerous Windows machines and have discovered rootkits that have lived on machines undetected for up to two years even though they were up to date on patches and AntiVirus defs. In fact one of the rootkits was unknown until I discovered it and sent a copy to threatexpert and virustotal.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
Microsoft Update KB977165 triggering widespread BSOD One of Microsoft's "Patch Tuesday" security fixes is triggering a widespread "Blue Screen of Death" problem. The cause is not the update itself, but an existing infection. So far, reports suggest that this problem affects Windows XP and Windows Vista. Once the update is applied and the system rebooted, Windows will bluescreen at boot. When booted to Safe Mode, the system will freeze. Removing the update from the Windows Recovery Console or using live media will get the system booting again, at least until the update is reapplied. I have found that the root cause is an infection of %System32\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally. This is not the first time that an infection hitting atapi.sys has caused updates to trigger bluescreens. If you are running Windows and have not yet applied this update, make sure you scan your computer thoroughly for infections before applying this update. If you are experiencing this problem, get your computer to a professional that can replace the infected atapi.sys and clean any other malware from your computer. References: http://isc.sans.org/diary.html?storyid=8209 http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1 Detailed Repair Instructions Using the Windows XP Recovery Console 1. Boot from your Windows installation CD Insert your Windows installation CD and boot your computer. If your computer is not set to boot from CD first, you may need to reconfigure your BIOS or press a boot menu key (often F12, F8 or Esc). If you are unsure of how to do this, consult your favorite geek. As soon as the boot starts, you should see a message like "Press any key to boot from CD..." - press a key. 2. Start the Recovery Console After the CD loads (it may take a minute), you will be presented with a few choices. One of these options is to start a recovery by pressing "R". Press "R" to launch the Recovery Console. * You may be asked to choose a Windows installation. If so, choose the damaged installation (probably "1). * You may be prompted for the Administrator password. If you do not have one, press "Enter". 3. Identify your CD drive letter You should now be at the command prompt. Enter the following command: map Look for the drive letter for your CD drive. It may look something like this: D: \Device\CdRom0 In this case, your CD drive is "D:". 4. Replace ATAPI.SYS Enter the following, replacing "D:" with your CD drive: cd system32\drivers ren atapi.sys atapi.old expand D:\i386\atapi.sy_ You should see the message "1 file(s) expanded." - this indicates you have succeeded. 5. Reboot and scan for malware Reboot your computer. With a little luck, your computer will now boot normally. Because this problem is caused by malware, you should immediately scan your computer with up-to-date antivirus software. Tags: Malware, Security, Windows This entry was posted on Thursday, February 11th, 2010 at 17:22 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
"Be kind, for everyone you meet is facing a great battle." - Philo of Alexandria -
Scanned the drive in another machine and it detected atapi.sys as having a trojan. I restored it from /i386 and it came right up. I never thought it was connectd with the xp problems. Microsoft didn't do a evil thing who would have knew.
And some other salient responses:
Michael Bristow says:
2010-02-12 at 11:48
I had a machine come across my bench with this issue, first thing Wednesday morning. One of the first things I tried was running SFC form an ERD boot disk. it replaced several files including atapi.sys, but was still would not boot. only way to get the PC back up and running was to remove the patch.
Multiple scans, with no infection detected, and I tried re-installing the patch, only to get right back to Blue Screens.
In short, there is obviously more going on than just a problem with infected atapi.sys files.
Jim Blizzard says:
2010-02-12 at 12:00
Very nice work Patrick,
We have seen this occur on a few machines at the FAA so I wrote a vbscript to loop through an .xls of machines and record the MD5 Checksum. Thought it may come in handy for yourself and some of your readers..
http://home.comcast.net/~jblizz/Atapi_MD5_Checker.zip
"Be kind, for everyone you meet is facing a great battle." - Philo of Alexandria -
Next time you might consider doing some backwards compatibility testing with popular rootkits, yes? Just a free tip Microsoft!
Here's a link to the report from VirusTotal when you upload an infected atapi.sys.
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529
The whole moon and the entire sky are reflected in one dewdrop on the grass. - Dogen
Apply this patch to see if the machine is infected by some seemingly-unrelated rootkit.
"Yes, our security update crashed your computer. We hope you enjoyed our anti-rootkit feature."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I've seen this Tdss-rootkit on many machines. Usually it infects a disk driver like atapi.sys or iastor.sys. Typically an infected machine will boot in normal mode, but NOT in safe mode (blue screens). If Windows will boot, running ComboFix has removed the rootkit for me every time. The author of ComboFix is a genius.
After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.
If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.
Microsoft does detect it - and has since last October.
File atapi.sys received on 2010.02.11 21:58:49 (UTC)
Virus:Win32/Alureon.A
Updated: Dec 07, 2009
Aliases:
Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)
Encyclopedia entry
Updated: Dec 07, 2009 | Published: Dec 02, 2009
Aliases
Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)
Alert Level
Severe
Detection initially created:
Definition: 1.69.77.0
Released: Oct 23, 2009
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s). When the infecting trojan is run, it infects a system driver, usually 'atapi.sys'. It has also been observed to infect 'iastor.sys' but other system drivers may also be targeted. The system driver detected as Virus:Win32/Alureon.A is infected by the addition of code, whose function is to load a part of the Alureon rootkit. The Alureon rootkit is a component that gives Alureon the ability to avoid detection; it is created by the same Alureon trojan that infects the system driver. The rootkit loaded by Virus:Win32/Alureon.A has the ability to avoid behavior blockers, which allows it to perform its malicious routines uninterrupted. It can also hide files and disk sectors.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials... . Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary
I run a small computer repair shop, and we first started seeing this ATAPI.SYS virus a few weeks ago. When I would submit it to VirusTotal, it would always come back as clean on every single virus scanning engine - but I could tell it was infected. I even had a computer in here just yesterday which had the infected ATAPI.SYS file, yet it was not detected as such - even when the hard drive was mounted as a secondary drive in another system and scanned with several up-to-date antivirus programs.
The virus itself is actually quite a clever little beast. After infecting the file, it sets the file modification time back to the original date & time, which makes it hard to tell that it's been modified. Also, I've noticed that the byte counts between infected and non-infected versions of the file are almost always identical. But to do that, it appears to be injecting its code into the area normally used to store the file version information. The upshot is, if you check the file properties and there's no file version information (the Version tab under XP or the Details tab under Vista/Win7), there's a good chance the file is infected.
I have not had any computers come in to the shop with the BSOD mentioned in the articles yet, but I'm expecting them at any time...
Rootkit? I don't see it. Maybe it's because this damn blue screen is blocking my view.
The game.
The issue appears to be the result of an infected driver relying on some internal bits of the kernel that were patched. It's actually the author of the software that infected the driver that's causing the problem.
The infected driver was _NOT_ part of the Windows update and the update had no dependency on that driver.
This is not Microsoft's fault.
While I'm all for free speech, I do prefer that the speaker have some soft of expertise on the topic.
Yes, this was from a virus/trojan/worm/whatever. Who cares? It could just as easily have been a custom file for custom hardware.
You don't know how rootkits work, do you?
It may not be possible to detect differences in a compromised file on a rooted system, because the rootkit will respond to requests with the original file's information.
So, for all we know, Microsoft did check the file before replacing it, but the rootkit told the OS it was unmodified.
People will pass up steak once a week, for crap every day.
Do you have any evidence or are you just spouting off bullshit? No need to answer, it's a rhetorical question.
Seriously though, guys/girls like yourself need to get a fucking grip. When you say "M$" you sound like a tool. When you cry foul when there is none you sound like a tool. When you make baseless accusations against someone because they are trying to inform people of a potential rootkit problem you sound like a tool.
Summary: You sound like a tool and people won't listen. So any future complaint or criticism, however legitimate, will simply be ignored.
The comments here suggest ideally using a bootable CD to scan the drive, but what exactly should one use?
And what happens when the rootkit bypasses the operating system access to that file and returns the expected results? This is a rootkit after all.
And HOW exactly should they check if the system has been infected by a rootkit that shows the patcher a file that matches the checksum?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
AC's don't get mod points! ;)
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Checksums, 'nuff said...
Apps: Calc this for me...
rootkit: errrrrr.... ?
Apps: Busted, fscker! *and warns user*.
Here be signatures
Won't work. To take your analogy a bit farther...
The thief is the rootkit, you're the kernel, and the patch is the police.
The thief is already in, hiding behind the sofa with a gun pointed at your head. The officer knocks on your door and asks if you're being robbed. The answer is 'no'.
A rootkit can invade the lowest-level of the Virtual File System, so when a patcher running in user space asks for the checksum of the file it's about to patch, it gets a 'clean' result, even if the -real- file on the disk is something entirely different.
There are a lot of misconceptions about what rootkits really are. I encourage anyone to take a few hits of LSD and explain physics to me, or perform surgery on themselves while under the influence, that's about the closest thing I can compare to patching or rootkit detection on a system that's already compromised.
"Sometimes, I think Trent just needs a cup of hot chocolate and a blankie." -Tori Amos on Nine Inch Nails
//Microsoft Employee here//
Check out Microsoft Security Essentials if you work with customers computers.
http://www.microsoft.com/Security_Essentials/
It is 100% free and has gotten favorable reviews. It is also very minimalist in design and simple to understand by non-technical people.
http://www.pcmag.com/article2/0,2817,2353447,00.asp
Because ANY law WILL be abused, full stop. You make it so everyone has to have an "Internet License" and no longer can posts anon, you know what you will get? "Oh you posted something mean! don't you remember the Myspace suicide girl? No net for you!" "How dare you speak out against dear leader! Don't you support our troops? No net for you!"
If you passed crap like that pretty soon the entire net would be nothing but the Home Shopping network. "Gee isn't product X swell? It sure is Biff!" because you won't dare say anything that could get your driver's license revoked. The problem with comparing the Internet to IRL is that it isn't real folks. It is easy to show some guy had a BAC equal to falling down drunk and was doing 80 in a 30 and needs his license revoked.
But with the Internet the "rules" would end up getting written by politicians pandering to the PC police and every interest group with a checkbook. The "think of teh childrenz!" groups alone would try to turn everything into Mr. Rogers while the bible thumpers would want everything to be Jesusland, and of course the Scientology nuts would have your license for daring to even THINK the word Xenu. yeah, no thanks, I'll stick with what we got now, thanks anyway. I haven't seen a bug since 98, and working PC repair I can say you just can't fix stupid.
ACs don't waste your time replying, your posts are never seen by me.