Rootkit May Be Behind Windows Blue Screen

L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."

Sounds like a good thing

That's one way of forcing users to take care of an infection.

Re:Ah, well, that lets Microsoft off the hook then

[Com2Kid]

After all, there's no way that their malware tool could have spotted it

If a system has been rooted, nothing short of booting to another OS from a known clean media, mounting the disk read only, and scanning, is guaranteed to detect a root kit.

That'd make updates a real pain in the arse to install...

No surprise if true

[al0ha]

I've performed a forensic analysis on numerous Windows machines and have discovered rootkits that have lived on machines undetected for up to two years even though they were up to date on patches and AntiVirus defs. In fact one of the rootkits was unknown until I discovered it and sent a copy to threatexpert and virustotal.

Re:No surprise if true

[The+MAZZTer]

If you compare a file listing run from inside the machine to one run from a bootable CD OS where the rootkit can't load, different files are a dead giveaway that something is being hidden, and a rootkit can't work around this.

There are also lower level APIs one can use inside of an OS that are much harder for a rootkit to patch so such tools can also locate some rootkits without needing to boot from CD. See: RootkitRevealer

Inadequate regression testing

[Ralish]

Next time you might consider doing some backwards compatibility testing with popular rootkits, yes? Just a free tip Microsoft!

Remove it with ComboFix

[cyprezzz]

I've seen this Tdss-rootkit on many machines. Usually it infects a disk driver like atapi.sys or iastor.sys. Typically an infected machine will boot in normal mode, but NOT in safe mode (blue screens). If Windows will boot, running ComboFix has removed the rootkit for me every time. The author of ComboFix is a genius.

At rainbow's end: Win32/Alureon.A detected

[westlake]

After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.

If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.

Microsoft does detect it - and has since last October.

File atapi.sys received on 2010.02.11 21:58:49 (UTC)

Virus:Win32/Alureon.A
Updated: Dec 07, 2009

Aliases:

Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)

Encyclopedia entry

Updated: Dec 07, 2009 | Published: Dec 02, 2009

Aliases

Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)

Alert Level
Severe

Detection initially created:
Definition: 1.69.77.0
Released: Oct 23, 2009

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s). When the infecting trojan is run, it infects a system driver, usually 'atapi.sys'. It has also been observed to infect 'iastor.sys' but other system drivers may also be targeted. The system driver detected as Virus:Win32/Alureon.A is infected by the addition of code, whose function is to load a part of the Alureon rootkit. The Alureon rootkit is a component that gives Alureon the ability to avoid detection; it is created by the same Alureon trojan that infects the system driver. The rootkit loaded by Virus:Win32/Alureon.A has the ability to avoid behavior blockers, which allows it to perform its malicious routines uninterrupted. It can also hide files and disk sectors.

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials... . Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary

ATAPI.SYS Infections

[nlewis]

I run a small computer repair shop, and we first started seeing this ATAPI.SYS virus a few weeks ago. When I would submit it to VirusTotal, it would always come back as clean on every single virus scanning engine - but I could tell it was infected. I even had a computer in here just yesterday which had the infected ATAPI.SYS file, yet it was not detected as such - even when the hard drive was mounted as a secondary drive in another system and scanned with several up-to-date antivirus programs.

The virus itself is actually quite a clever little beast. After infecting the file, it sets the file modification time back to the original date & time, which makes it hard to tell that it's been modified. Also, I've noticed that the byte counts between infected and non-infected versions of the file are almost always identical. But to do that, it appears to be injecting its code into the area normally used to store the file version information. The upshot is, if you check the file properties and there's no file version information (the Version tab under XP or the Details tab under Vista/Win7), there's a good chance the file is infected.

I have not had any computers come in to the shop with the BSOD mentioned in the articles yet, but I'm expecting them at any time...