Microsoft Confirms Update-Linked BSODs Required Compromised Machines

Trailrunner7 writes "Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit. There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit." That seems a harsh way to find out that your Windows machine has been rooted.

But better than not finding out at all.

[dmgxmichael]

Now, I wonder who the first poster is going to be to demand Microsoft test their patches for compatibility with viruses and malware?

Re:But better than not finding out at all.

[bigredradio]

First post...that would be you sir.

Re:But better than not finding out at all.

[Rockoon]

How about queue up the idiots who demand that microsoft do a checksum on the files it patches...

..because in their universe, files that have been over-written still contains bits of the old files that will execute and cause blue screens.

Re:But better than not finding out at all.

The rootkitted library was not a part of the update, just one of the libraries it was using. You should demand that your rootkit vendor stick to published APIs to avoid this in the future.

Re:But better than not finding out at all.

[geminidomino]

Depends...

If MS10-015 was meant to protect against/fix Alureon infections, then yeah, it doesn't seem unreasonable to ask that it not hose the machine.

OTOH, if the fix was for something else and it just happened to go tits-up in that particular odd case, then yeah, MS is off the hook.

Re:But better than not finding out at all.

[The+Archon+V2.0]

files that have been over-written still contains bits of the old files that will execute and cause blue screens.

Why not? DNA contains bits that will de-evolve you back into a frog or lizard or caveman.

The Archon V2.0
Graduate, Starfleet Academy biology program.

Re:But better than not finding out at all.

[TubeSteak]

Don't worry, it looks like the malware authors have already rushed out an update for their rootkit
http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html

Re:But better than not finding out at all.

[buti]

maybe someone should just demand microsoft to remove known rootkits when patching.

Re:But better than not finding out at all.

[lgw]

Actually, they do. However, Windows Update will apply patches before doing malware removal - I've never quite understood why that was the preferred order.

Re:But better than not finding out at all.

[Jugalator]

First post...that would be you sir.

That was a demand?

Re:But better than not finding out at all.

[rve]

The rootkitted library was not a part of the update, just one of the libraries it was using. You should demand that your rootkit vendor stick to published APIs to avoid this in the future.

An OS update shouldn't break third party applications such as rootkits. Many people's livelihoods depend on these rootkits. Did you guys at MS even consider how difficult it is to retroactively patch infected torrents once they're out on the net?

Re:But better than not finding out at all.

[Johnno74]

Wow, nice way to find/create an anti-ms slant on the story. I can respect people who bash microsoft if they know what they are talking about, but you clearly don't so no biscut.

Prolems with your theory:

1) Microsoft updates don't patch files. They replace them. Probably to avoid the issues you assume are happening here (even though they aren't). I'll excuse you for not knowing this.

2) The file that the rootkit infects isn't the file affected by the patch. The file MS patched WAS 100% clean. The rootkit was either modifying or calling the patched file using a static offset. After the patch this offset was no longer correct and the rootkit caused a bluescreen when it used it.

3) Even if the patch was a delta and not a whole file, and the file to be patched was the infected file, and if the patch _did_ checksum the file first then the checksum would not have revealed anything was wrong. Do you even know what a rootkit is? A rootkit, by definition cloaks itself by modifying the OS so system calls will not reveal the rootkit. Read the file where the rootkit resides and the rootkit will intercept this and return the original file contents, sans rootkit.

Re:But better than not finding out at all.

[GNious]

haha, but ...

Why is there unpublished APIs available for 3rd parties of any kind to call without some kind of security-check? Why are MS allowing these unpublished APIs to be used, and could they possibly be removed for safety and sanity of systems?

I can appreciate that some may be there for the OS to use, but would it be feasible for the APIs to include some kind of authentication model ensuring that only the proper software (MS's own OS) is using them?

Just worried that there are bits and pieces of the system that aren't really documented, aren't safe and getting abused...

Re:But better than not finding out at all.

[ozmanjusri]

The did get Mark Russinovich's Rootkit Revealer when they grabbed Sysinternals, so it would make sense that they include a scan.

Having said that though, it looks like it hasn't been updated since Microsoft took it over.

Re:But better than not finding out at all.

[__aasqbs9791]

In his defense, the people of Big Red Radio's home planet are extremely polite. I, for one, welcome our Overlords, is actually a variation of their standard greeting.

Re:But better than not finding out at all.

[Aphoxema]

Some rootkits are intentional, like some viruses (I guess they're not really viruses then). As an option, sure, but as a regular part of the update process it can be dangerous.

Re:But better than not finding out at all.

[ashridah]

When the rootkit has complete, unrestricted access to the system, *it can do anything it wants*. there really isn't a way to stop it, unless you've forced it into a lower-security prison (aka, user-level).

If it wants to pick a random memory address that it's hard coded and jump to it, it can do it. the cpu's not going to stop it, and windows is not responsible for fixing that. You may as well ask for the linux kernel to stop a rootkit module from rewriting the software interrupt vector tables and hooking into system calls. If it has write-anywhere memory level access (and it does, it's in the kernel during initialization, launched by root), then it can write bytes to memory, anywhere it chooses. if you then upgrade to a kernel with a different system call table layout due to an improvement, and the malware doesn't self-correct? boom!

Now, solutions to this involve things like virtualization and sandboxing, but we're not quite there yet. I wouldn't actually mind seeing an operating system take advantage of VT and other things to produce an OS with a secure core, that self-verifies and only accepts signed updates.

Re:But better than not finding out at all.

[dhavleak]

I think that award goes to to Timothy -- our fearless fudding editor. I mean, consider how he ended TFA: "That seems a harsh way to find out that your Windows machine has been rooted.".

Alright, maybe that's a harsh assessment, but after countless other posts like this I'm not inclined to give him the benefit of doubt. Let's recap:
1. The Alureon rootkit isn't new, and should be detected by any AV worth it's salt
2. That being the case, affected users were not running AV, or were infected before they installed their AV.
3. Affected users are running a 10-year old OS.
4. More recent OSes (64-bit Vista and Win7) have inbuilt measures that render Alureon ineffective (PatchGuard - which checks for signatures on kernel modules).
5. 32-bit Vista and Win7 would be immune as well if the AV cartel had not threatened to approach the DOJ with antitrust complaints if MS implemented PatchGuard in the 32-bit versions.
6. MS has made online scanning tools, a malware removal tool, and a free AV/security suite (MS security essentials) that any of the affected users could have used, prior to the update, and they would have been fine.

So now, short of forcibly enrolling users in "install and run AV 101", what else could you be calling for, Mr. Timothy (editor) when you say that you think this is a particularly harsh way to find out that you've been infected? What the fuck else do you think MS should do? Go back in time, and fucking add patch guard to XP before they release it? I'm really fucking interested in hearing your opinion on this.

Re:But better than not finding out at all.

[mrmeval]

That seems a harsh way to find out that your Windows machine has been rooted.

I wish every update had such a botnet killer in it. Damn that would be sweet. I'm tired of the spam and the bandwidth killing. Failing that we could enact a government tax of 25cents an email. HA!

Q: Would it be possible to run a hypervisor as part of an OS so that the OS maintainer be it the evil empire or ahbuntu could detect and eradicate malware and virii? I've done similar with ghost in the past but I am not up to speed on virtual machines yet.

Re:But better than not finding out at all.

[hairyfeet]

Well it appears that MS10-015 patch was for a locally logged on user using a specially crafted app to gain privilege escalation, so it doesn't appear to be designed for that specific rootkit in mind.

That said considering how many third party apps run on Windows I was always impressed by how few times a MSFT patch caused a problem, and if anything this BSOD should serve as a wake up call to those affected to actually clean up their systems and put on a decent AV. Just this Monday I had a PC cross my desk that had over 1000 infected objects. The user hadn't changed squat from when it had been bought new, which unfortunately thanks to truly shitty security policies at most OEMs and retailers means that it had NO autoupdates and was in fact still at SP2, with a Norton crapware AV install that of course had been out of date and non functional since 2004.

We geeks really need to raise the alarm and shame these OEM and stores like Best Buy into having decent defaults on their PCs. I have yet to see one from an OEM cross my desk that didn't have autoupdates turned off and some 30 day trial of crapware AV installed instead of something decent. I make sure any PC I sell has Comodo AV, autoupdates turned on, and Firefox with ABP installed and you would be surprised how just these few changes really cut down on the malware. Too many home users think their PC should just work out of the box (and IMHO rightly so) and end up with a badly pwned machine because the defaults are so shitty. There should really be a policy in place to shame these companies until they set more decent defaults.

Re:But better than not finding out at all.

Might as well just squash the malware if one of the patches is updating the file it lives in, rather than remove it and replace that same file...

Re:But better than not finding out at all.

OK, ok.. I'll give it a shot...

Any competent vendor would verify their updates against their biggest customers. When a browser gets released it's checked against Google and Yahoo and Facebook, even if those sites might use some bizarre html/ajax/flash combinations. So Microsoft should also verify that their patches work correctly with their biggest customers, the malware authors!!

I kid, I kid...

Re:But better than not finding out at all.

[bmckeever]

Well, here's one from 5 days ago. I think he beat you.

Re:But better than not finding out at all.

[Pharmboy]

Now, I wonder who the first poster is going to be to demand Microsoft test their patches for compatibility with viruses and malware?

To be fair, Microsoft is year ahead of Linux in this area. Linux isn't compatible with almost every kinds of virus/malware. Wine is helping by providing the APIs needed for some malware, but Linux (iptables in particular) still interferes with the proper operation of some of these programs. Like it or not, if you want to run these malware programs reliably, you should stay away from Linux. At least Microsoft lets you run *most* of these viruses after an update.

Re:But better than not finding out at all.

[antek9]

May I point you to the PS3's operating system, then? It's taken years, a hardware hack, and an ingenious hacker to even bypass the hypervisor on the system, and even then he's not even close to running arbitrary (unsigned) code on the box. My 2 cents: your last paragraph scenario is already possible and being implemented, just not by every vendor.

Microsoft might want to cut Sony's engineers some slack there. And yes, I do know the downside to it: everything, every single application would have to be signed and greenlighted by Microsoft, Ubuntu, Redhat, you name it. Just like Apple and Google do it for their mobile platforms. A pain, sure, but: no pain, no gain.

Re:But better than not finding out at all.

[yuhong]

I submitted this to Slashdot: http://slashdot.org/submission/1175056/More-details-on-the-TDSS-rootkit

Re:But better than not finding out at all.

[smash]

Maybe because if you're not patched, you'll often get re-infected before the update is completed?

Re:But better than not finding out at all.

[smash]

I have no problem with patches bluescreening rooted boxes. If your box is rooted, the only way to e sure to fix it is a reinstall - having patches try to work around rootkit installs is retarded. If you don't know you're rooted, then too bad. Learn to maintain your pc/network.

Re:But better than not finding out at all.

[dhavleak]

Amen to that.

I mean, we know there are technophobes out there. We know there are people who just can't understand the importance of running up to date AV, latest updates etc., or simply can't figure out how to do it -- but seriously -- what can you do for such users. You can make your OS more and more secure with it's default settings. You can make free online scanners available. You can make free AV avialable. In as far as you don't get dragged into court for retarded reasons, you can try to make your kernel not load untrusted modules. You can even try to educate users or warn users (this is not signed, do you really want to run it?). But if they defeat your every measure through sheer ignorance, if they are too ignorant to even know that merely upgrading their OS makes them a bit safer, what can you do beyond just sympathizing with them?

Re:But better than not finding out at all.

[poena.dare]

Dear Microsoft:

Please continue to turn off user's computers which are compromised. If at all possible, please display a message directing anyone in my zip code that I'm available to fix it for them at competitive prices. I really need the work.

Re:But better than not finding out at all.

[sabt-pestnu]

And I'm partially wrong, there. The rootkit is sophisticated, covering its tracks on the infected file(s), serving up the original file to disk access requests.

There's still the problem that the microsoft update is not up to the task of diagnosing a system that's gotten rootkitted.

There's no real point to upgrading a system that's already been compromised, it's too late by that time. Using the upgrade system to download rootkit detectors, that's a different matter.

Re:But better than not finding out at all.

[jonadab]

He didn't demand anything of the kind. He only suggested it, if anything in a way that implied it would be an unreasonable expectation. Which it would be, because, frankly, once you become aware that a system has a rootkit installed, the only sane thing to do is a complete format and reinstall.

Well, you can do some forensics first if you want, and maybe copy off some data (if you're careful about how you do it so as not to infect any system you copy it to). But you're going to boot from known-clean (and, preferably, read-only) media to do those things, NOT from the known-infected system. (A LiveCD is what I would recommend for such post-mortem activities.) If you want to actually boot from and use the infected system again, it needs a clean reinstall first, period. Do not pass go, do not collect two hundred dollars. Booting from the infected system is highly inadvisable and much worse than useless, because the system is compromised. Only someone who doesn't know any better due to a complete lack of understanding of security issues would even consider doing that.

So personally I don't see how this way of finding out is any more brutal than any other way of finding out. Continuing to use the system, even though it has a rootkit, wouldn't be a reasonable course of action anyway. Nobody who understands security would do that, and nobody else *should* either.

(Unless you're operating some kind of firewalled-garden virtualized honeypot network for the express purpose of studying how infections spread, but in that case you wouldn't be deploying the patch. I suppose if you were doing a controlled study on the effectiveness of the patch... but we're now DEEP into the realm of purely hypothetical problems with no real-world impact whatsoever.)

If we were going to criticize Microsoft here, it would be for other things, such as how long it took them to deliver the patch once the issue was reported. (I don't happen to know how long it was in this instance, BTW; I wasn't following this particular vulnerability very closely.)

Assuming it's true that the patch only causes problems on already-rootkitted systems (and I haven't seen anyone claim the contrary), then that's not really a meaningful flaw in the patch, IMO. Those systems were already toast anyway. How well does the patch work on systems that hadn't been infected? That's what matters.

Re:But better than not finding out at all.

I would hazard that they do it in this order so that the DLLs cannot simply be reinfected after the malware is removed i.e. they patch the potentially affected files, and then attempt to remove the malware that may or may not have been infecting them (and hopefully it cannot reinfect them because of the patch fixing the exploit vectors that the malware was using).

Re:But better than not finding out at all.

[TheLink]

> every single application would have to be signed and greenlighted by Microsoft

Not so viable for Microsoft given their monopoly status (assuming the regulators aren't asleep), and backward compatibility reasons.

They'd have to do things a different way.

Re:But better than not finding out at all.

[gig]

Why don't they just make their operating system incompatible with viruses and malware? Somehow everybody else manages it.

Re:But better than not finding out at all.

race condition, I guess - if you do the malware removal first, then there will be a window of opportunity to get reinfected by the same flaw until the updates apply.

Just a guess, though.

Re:But better than not finding out at all.

[Garridan]

Oh snap! Your computer crashed because it had malware! Harsh man, that was real harsh. Couldn't the rootkit like, call you up and say "hey man, I'm in ur system, mining ur dataz", rather than just crash? That would be a lot more convenient, and significantly less harsh. I mean, what are they going to do next -- make the computer insult you, too?

Re:But better than not finding out at all.

[weicco]

Just a side note, little of topic.

I worked in a company which built their own VPN style software. I was in the team writing Windows NDIS (network stuff) drivers. Now if you played by the book (DDK specs) everything went fine. But there were, and still are, some AV software vendors that wasn't acting nicely and they were doing all kinds of nasty stuff with their own drivers and not respecting DDK specs at all. I think they were intercepting messages passed to the drivers and altering kernel function pointers and stuff. I can't remember exactly. But anyway, this caused frantic BSODs with our driver and even with Microsoft's example skeleton driver.

Now those vendors were doing legitimate AV software. I can't even imagine which kind of havoc rootkit "vendors" would have caused.

Re:But better than not finding out at all.

Actually, they do. However, Windows Update will apply patches before doing malware removal - I've never quite understood why that was the preferred order.

Because removing malware can be risky work. Much better to make sure the machine is patched if something goes wrong with malware removal.

Re:But better than not finding out at all.

[aug24]

Your comment is a little - just a LITTLE! - over the top for what Timothy actually wrote. I mean, it *is* a harsh way to find out.

Do you need to get laid by any chance?

Justin.

Re:But better than not finding out at all.

May I point you to the PS3's operating system, then? It's taken years, a hardware hack, and an ingenious hacker to even bypass the hypervisor on the system, and even then he's not even close to running arbitrary (unsigned) code on the box

And it's still useless for using as a computer. You might as well point to a shoe, as a shoe has no problems with code having unrestricted access either. And just like a PS3, a shoe is useless as a computer.

Re:But better than not finding out at all.

[HyperQuantum]

5. 32-bit Vista and Win7 would be immune as well if the AV cartel had not threatened to approach the DOJ with antitrust complaints if MS implemented PatchGuard in the 32-bit versions.

Could you provide a link to some source for this?

Too bad that things have turned out like this; the entire AV industry should not have existed at all IMO! And it makes me wonder; they might have an implementation ready, but weren't allowed to use it.

Re:But better than not finding out at all.

[initdeep]

Have you ever actually first booted an OEM machine from a major vendor that has windows pre-installed?
If so, you would know that it goes through the end of the install/setup process and asks the user several things, one of which is whether or not they would like auto updates turned on.

it's not the OEM's fault that some asshat "geek" friend has told Joe and Jill Sixpack not to turn on auto updates because "it could hose your stuff dude." or similar.

If the Windows computer does not go through this setup process on first boot, then it's not new.

sysprep is a wonderful thing.

Re:But better than not finding out at all.

[lgw]

I would have thought it more likely that the patch will get re-corrupted by the already-installed malware before that malware can be removed. I guess the threat you highlight is more likely.

Re:But better than not finding out at all.

[Rockoon]

did you even read what you replied to?

You seem to think that it says the opposite of what it says.

Re:But better than not finding out at all.

[dhavleak]

Sure:

• See here: McAfee & Symantec got the EU involved, and Neelie Kroes seemed happy to oblige.
• Or here
• A bit longer (the main stuff is a few pages in).

MS basically didn't want to do the whole dog and pony show for the US DOJ and EU's committee -- so they came up with this compromise (PatchGuard in 64-bit OSes only), and in return McAfee and Symantec dropped their objections. These links are actually after the fact (after that agreement was brokered, and the fight contnued for 64-bit windows).

Re:But better than not finding out at all.

[dhavleak]

Your comment is a little - just a LITTLE! - over the top for what Timothy actually wrote. I mean, it *is* a harsh way to find out.

I acknowledged that already "Alright, maybe that's a harsh assessment, but after countless other posts like this I'm not inclined to give him the benefit of doubt."

It's true -- it's a hard way to find out. It's also true that it's a snarky remark and a cheap shot. Timothy and Kdawson (and other editors too) either take cheap shots or propagate outright FUD regarding MS all the time. There is a financial motive -- it drives views and ad-clicks. There is a vested interest (not the site ownership). I am not inclined to give this site and it's editors the benefit of doubt anymore. They've been doing this for years now.

Re:But better than not finding out at all.

[dhavleak]

*Note the site ownership (instead of "not").

Re:But better than not finding out at all.

[Johnno74]

Ahh... oops.. Yep, right you are. Sorry, my bad.

Re:But better than not finding out at all.

[hairyfeet]

Actually I haven't seen that screen in years man. Most of the OEMs now have that preset from the factory with something like HP User as the default user account, as admin of course. Same thing with Best Buy, which has "name of PC manufacturer_user" as the default account. Just the other day I had to use an OEM system repair CD ( because the girl wanted her Kodak software she bought from the trialware) and it never asked me a single question. When it popped up it was "Gateway_User" on the account. And autoupdates was turned off, and she had a host of trialware I had to decrapify.

So we really can't blame the user for this one. In the old days of Win98 I would have agreed with you, but since XP Sp2 I can't even remember the last time I saw a clean installed OEM ask you anything. They have all jumped on the preset branded images that go straight to desktop on first run. So we need to seriously shame them until they flip the switch and put autoupdates to true on their system images.

Not that harsh

[bigredradio]

Yeah a BSOD is harsh, but finding your bank account mysteriously drained of funds is more harsh. At least they found out.

Re:Not that harsh

You missed the lost thesis post?

Re:Not that harsh

You missed the easy solution to recover it with a Live CD? It wasn't "Lost", it was "temporarily inaccessible".

Re:Not that harsh

Yeah, it could have been a lot worse. Suppose the rootkit were robust against WU patches... then it would still be there and they wouldn't know about it. They were lucky that the circumstances were just right to out the rootkit.

Re:Not that harsh

Coincidentally, the fortune at the bottom of the page when I first read this post said:

"Your computer account is overdrawn. Please reauthorize."

The Alureonians

First, they compromise our computers,

Then, their ships will drop out of hyperspace and invade.

You'll see. Mark my words. You all will see.

Better than not knowing that you've been rooted

[jandrese]

The bluescreen may be painful, but it is far less painful than having your information stolen by criminals. Assuming of course the people who own the machines are savvy enough to properly install their firewalls and virus protection next time.

Re:Better than not knowing that you've been rooted

[Locutus]

it was probably about 6 years ago when a number of goverment offices American Express, and others including CNN had their computers BSODing. CNN even stayed on the air for a few hours just talking about how the computers were all rebooting. The cause of that was that the computers were part of a botnet and an update to the botnet caused BSODs.
In plain language, many government computers and businesses computers have been infected without them knowing it. And as I mentioned, large companies with financial ties like American Express. You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

Now I wonder if this is what took out all those Norfolk VA computers. The ones which it was said that they don't think it was something they got off the internet but in the same breath said they don't know what caused it or how it got there.

LoB

Re:Better than not knowing that you've been rooted

[Anpheus]

You can't secure any unverified code without unplugging it. And verifying, truly verifying code is expensive and laborious and will likely never be done for something as huge as Windows or a Linux distro.

Unfortunately, the cost-benefit analysis of verifying code against a spec and proving the security of it shows that it's not worth it in the vast majority of situations.

Re:Better than not knowing that you've been rooted

[geekprime]

Couldn't a deep packet inspection reveal the botnet behaviors regardless of how good the rootkit was?

Sounds like a home router feature to me...

Re:Better than not knowing that you've been rooted

[X0563511]

SSL or any other common encryption scheme throws that out the window.

Re:Better than not knowing that you've been rooted

[zero0ne]

you may not be able to see the ACTUAL traffic, but shouldn't you still see that 50 PCs on your network all of a sudden start trying to connect securely to a server in China?

I don't think there is any easy way around this.

Even if the IP it was connecting to ended up being within your country, the simple fact that it is all being recorded and data-mined by some company wide application means that given enough time, a pattern will be discovered, and can then be countered.

Re:Better than not knowing that you've been rooted

You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

The funny thing is that you can replace Windows by Linux, *BSD or any other OS/Kernel and the sentence still applies! Let's not be fucking retarded and assume this is a Windows thing.

Re:Better than not knowing that you've been rooted

[bertok]

it was probably about 6 years ago when a number of goverment offices American Express, and others including CNN had their computers BSODing. CNN even stayed on the air for a few hours just talking about how the computers were all rebooting. The cause of that was that the computers were part of a botnet and an update to the botnet caused BSODs.
In plain language, many government computers and businesses computers have been infected without them knowing it. And as I mentioned, large companies with financial ties like American Express. You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

Oh, I assure you, they know about it. They're just too incompetent to do anything about it.

I was once at a large bank, and I was warned not to plug my laptop into the bank's network. At first I was thinking "this must be for security reasons, they clearly don't (and shouldn't) trust some random consultant's laptop on their network", but then I was told that it was for my own protection. Apparently the bank network was so lousy with viruses that a laptop without the latest patches would last only minutes before it was rooted. I keep my work laptop patched, so I did plug in. I ran Wireshark for a few minutes, which detected about a dozen hack attempts on my machine. On top of this, many of their servers were running ancient versions of windows, many at RTM patch levels. I suspect they were all infected, but I didn't have a chance to look into it.

It's not just one or two financial institutions, from what I gather, many of the larger ones have infections.

This is what excessive bureaucracy does to IT: the amount of paper work required to approve a patch is so onerous that IT managers simply don't patch servers. The paper work is meant to prevent the minor problem of 'unapproved' patches causing disruptions, but the end result is even worse, which is unpatched machines with rampant infections.

Re:Better than not knowing that you've been rooted

[smash]

Yes, you would.

Encryption/obscuring traffic helps hide it, but if the volume is in any way significant, a competent admin will spot it and note as suspicious regardless of whether or not he can see what the traffic actually contains.

Re:Better than not knowing that you've been rooted

[El_Oscuro]

Where is my +1 Scary mod?

Re:Better than not knowing that you've been rooted

There is a lot of FUD here.

With this, there seems to be an issue of the point of the rootkit, nonetheless why people insist that it gets the Windows Blue Screen. The writer of this wants RAM dumps. There are other points of infiltration here.

Re:Better than not knowing that you've been rooted

[geekprime]

If I send smtp out 100 emails in even a week, I don't think having my router direct me to a page asking me if _I_ did that and if I want to increase the number of emails/week before it warns me again is going to be that hard.

If the EMAILS were encrypted they would be useless wouldn't they.

Broaden their test base

[Itninja]

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

Re:Broaden their test base

[The+Angry+Mick]

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

WHile I'm not sure how they would go about testing against future viruses, short of bringing Johnny Carson's Carnak out of retirement, you would think that at the very least they could add a rootkit scanner to the front of the update. That way the update could fail gracefully with a note explaining why it couldn't proceed, along with a list of steps necessary to get the system clean, and helpful telephone numbers to the three major credit bureaus . . .

Re:Broaden their test base

[timholman]

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

Trivially done.

IF OS_VERSION = "Windows XP/Vista/7" then MALWARE_FOUND = TRUE.

Re:Broaden their test base

I don't usually use Microsoft products, but when I do, I run Windows 95.

Re:Broaden their test base

[courtjester801]

They can't win this one. If they add what amounts to a minor virus scan to the start of any patch installation, you force the user to wait X+Y minutes and interrupting their work (or play, or whatever); If they don't, the end user only has to wait X minutes, but with a minor potential for a BSOD. I pity the person that does a fresh install and downloads all eleventy billion patches that require reboots in between.

Had the users done their own regular and updated virus scanning, this likely wouldn't have been an issue.

Re:Broaden their test base

did this TWICE this past month. Since they were well known brands without os install disks, doing a restore on them put them back to clean winxp sp2! This then required updating windows update, then 90ish patches, then sp3 update, then 60ish patches, then downloading ie8... and updates, and .net 1 and 3.5 and more updates and more updates and more reboots. Every hour or so for 4 evenings I hit update, then came back later. It took forever.

Re:Broaden their test base

My question is, why download the first 90ish patches at all? Just download the SP3 cumulative update. That right there would save you who knows how many restarts.

Re:Broaden their test base

[Itninja]

You need to learn how to slipstream all that stuff into one install disc. It's way faster...

Re:Broaden their test base

[zappepcs]

Just have patches issued by McAfee and Symantec... that will fix the problem, for certain.

Re:Broaden their test base

[Jaysyn]

Even better, slipstream the damn things with nLite.

Re:Broaden their test base

I didn't know there were 110,000,000,000 windows patches, but it wouldn't surprise me.

Re:Broaden their test base

There are also mechanisms to be able to download all the patches up to a certain date, so an XP install can go like this:

Unplug box from LAN segment (or turn off wireless)
Install XP
Install SP3
Install patches
Install MSE
Install MBSA
Make sure firewall is up.
Plug box back into LAN segment.
Run MBSA to make sure that all system files are up to par. Since it uses a different mechanism than Windows Update to validate patch levels, one will be able to tell if something isn't patched or not.
Install apps, and go from there.
Optionally, have an external hard disk attached to the machine, so you can do a disk image of the system. This way, a subsequent reinstall is just a boot from recovery media and restore from image, as opposed to a time consuming reinstall.

Re:Broaden their test base

[dave562]

And how is that going work? They're going to ship out their patches on DVDs that you have to boot the machine from? People already bitch about having to reboot their servers once a month. Can you imagine having to physically visit every server with a DVD / USB stick? Give me a break.

Re:Broaden their test base

Did you miss the part where he pointed out that consumer PCs no longer ship with a copy of the OS installation media?

Re:Broaden their test base

[kent_eh]

You need to learn how to slipstream all that stuff into one install disc. It's way faster...

Except he didn't have install disks

they were well known brands without os install disks,

Re:Broaden their test base

[X0563511]

Apparently you know little about this rootkit.

It gets updated daily, sometimes more often. The crackers are working in realtime to keep it ahead of security.

Re:Broaden their test base

[jack2000]

God forbid they clone a windows disk from a friend and use that as the basis for their slipstreamed cd... geez you people have NO imagination!

Re:Broaden their test base

[smash]

Then copy one. If you have a valid product key, you have a valid license. The media is not what you are paying for, and copying the media is totally legal, so long as you're using it with a valid license.

Re:Broaden their test base

[smash]

IF (OS_VERSION = "Windows XP/Vista/7" AND adminCompetence=NONE) then MALWARE_FOUND = TRUE;

fixed for you.

Re:Broaden their test base

[ATairov]

In fact, they should create a public rootkit registry so malware authors can submit their malware for compatibility testing with new Microsoft patches.

Re:Broaden their test base

[poofmeisterp]

I'm sorry, but you forgot your (tm) after "It just makes sense."

Economic times are harsh. Everything, I mean EVERYTHING, must be copyrighted, trademarked, and service-marked. :>

Most effective mechanism for making a safer 'net

[Nzimmer911]

I think that this approach should become the industry standard for retaliation against malware. What better way to force complacent users to cleanup their machines than to disable them? Less botnets = more bandwidth for the rest of us.

Huh? I thought Netcraft confirmed it was dead?

Huh? I thought Netcraft confirmed that BSD was dead. Oh waaaiiiitttt... BSOD
Ok nevermind

Good

[pwnies]

That seems a harsh way to find out that your Windows machine has been rooted.

Or a good way, as it will force people to find a way to fix it. Who knows, maybe it will even teach some people some things about the dangers of rootkits.

Re:Good

Unfortunately, it's equally likely to cause people to stop updating, which is an even worse problem.

Re:Good

[mlts]

Even better, it gets the machine off the net, so other people are not victims of DDoS attacks, spam, automated scans, and other crap that might come from a botnet client.

I admit I sound like a jerk here, but I'd rather have a machine with a BSOD than a rootkitted box. Reinstalling or reimaging a machine may be a bit time consuming, but it is nowhere the time it would take to recover access to compromised bank accounts, Web accounts, gaming, and dealing with identity theft issues.

Re:Good

[couchslug]

"I admit I sound like a jerk here,"

No, you don't.

Lusers (the term fits in this case) don't care about securing their machine unless it gets broken. Malware that breaks machines provokes an immunue response, while parasitic malware usually does not.

Dumbass users..

Trying to blame Microsoft for their own fucktarded infections. Try not to click greetingcard.exe next time, Idiots.

Re:Dumbass users..

[jimicus]

I really do wish it was that simple.

The simple fact of the matter is that even with all the security turned on, even with all the updates being installed automatically you still can't avoid the odd rootkit. And there are several modern rootkits which are really hard to spot - most AV packages won't prevent them and they don't take over the machine to the point where you start to think "hang on a minute..... there's something wrong here".

Re:Dumbass users..

[tigerhawkvok]

Really? I run mostly windows systems and haven't gotten a virus, rootkit, or other miscellaneous malware in years. It really is their own damn fault. But then, they're the same people who complain about having to give their programs permissions as administrators on Windows, but not OSX or Linux ...

Re:Dumbass users..

[jimicus]

48 hours ago I was notified of a laptop with a rootkit.

And I can tell you now, that laptop wasn't running slowly.

It wasn't redirecting web requests.

It wasn't doing any of the things you might associate with rootkits. Yet replacing the AV with an alternate product and the alternate product detected several real issues.

Frankly, if I hadn't been notified by our bank (whose security company had managed to get a site shutdown and get a list of all potentially compromised accounts) I would never have had a clue. I concede that the user had admin privs on their laptop but I'm given to understand that even that isn't a huge barrier to a lot of modern rootkits. Thank Christ the bank in question doesn't allow you to do anything without the use of a separate security device they ship you.

Talk about a rock and a hard place. I can't trust the laptop at all, and it was infected while running a regularly-updated copy of Symantec AV Enterprise which suggests I can't necessarily rely on AV software to do what it says on the tin. Windows is obviously a lost cause unless I want to spend the rest of my live playing whack-a-mole yet I don't think the Powers that Be will stomach a move to Linux (even though most of them haven't used Windows-specific software in years).

Answers on the back of a postcard....

Re:Dumbass users..

[X0563511]

and haven't gotten a virus, rootkit, or other miscellaneous malware in years. ... that made itself known.

Re:Dumbass users..

[tigerhawkvok]

With several different anti-malware solutions. (Including but not limited to ESET, NOD32, MS, Symantec, and occassionally Spybot/Hijackthis/etc), nor shown entries in autoruns/procexp/etc, or the ocassional outbound-traffic-analysis.

They can be pretty hard to detect, but one that evades all of that is kinda magical.

Re:Dumbass users..

I haven't typed a credit card number in Windows for several years, (however I might be at risk because my paypal account is linked to email I use, so someone could request a lost password).I dual boot to linux to do that. The system in question is rawhide (yum updated each time I log in), so I wish rootkit authors a good luck adapting to _that_.

Well at least MS found an effective way to stop updating infected machines :)

Re:Dumbass users..

[smash]

Yes you can.

Use the tools provided (firewall, AV, security zones, certificates for any secure sites you build for your intranet, etc), don't do dodgy shit on your box, and you won't get rooted.

In the past, I've had Windows boxes rooted, I've also had linux boxes rooted (via sendmail, DNS, etc). Since maintaining/securing them (even half-arsed), I haven't had a problem in the past 10 years.

Hint: "dodgy shit" includes installing "free" shit from untrusted sources.

Re:Dumbass users..

[smash]

Symantec is shit. Users should not have admin on business machines. They should also not be going out via unfiltered internet connection to whatever dodgy website they like and mail should be screened for questionable content. If you think that this sort of thing wouldn't be happening on Linux (or anything else) if it had so many clueless users in business settings using the product - you're deluded.

Re:Dumbass users..

[devent]

Thank Christ the bank in question doesn't allow you to do anything without the use of a separate security device they ship you.

Or, just use a Linux Live CD for all your banking needs. Maybe the banks should require all users to use at least a Linux Live CD to access any of the bank's websites.

They could hand over VirtualBox with an installed and configured Linux distribution on a CD/Usb stick to it's customers (CD would be better, it's write protected).

Re:Dumbass users..

[jimicus]

The rootkit in question was Zeus, which is known to evade many AV scanners. It probably wouldn't have made much difference what I was running - and more than one rootkit in the wild today is designed to account for the fact that a user may not have admin privs.

Mail is screened, but I can't easily control their internet connection when the computer in question is a laptop. Otherwise there would be little point in issuing laptops.

I fully accept that Linux would be just as big a target if everyone had root privs and it was anywhere near as popular. I also accept that you can't protect against user stupidity.

But right now, today, there are very few Linux trojans and rootkits in the wild compared with Windows. I don't believe a 100% malware proof computer is even physically possible, but making it 98% malware proof would be a hell of an improvement on the current situation.

Re:Dumbass users..

[jimicus]

That's an interesting idea.

The problem is, this is something that affects my work - I'm the sysadmin - and I guarantee you that as soon as you start putting roadblocks like that in people's way, they start to look for ways around them.

I'd also have to screw around with the laptop to prevent Windows accessing the bank's website (easiest answer would be a few strategic entries in the hosts file) - but the inevitable upshot is that I guarantee the enduser would wind up doing something like using their own PC for banking rather than rebooting the laptop. At least I have a chance (however slim) of being able to manage the risk on the laptop I give them.

We have recently ditched Symantec anyway - not for this reason, I hasten to add, because I was unaware of this when we ditched it - and the new AV product is a suite complete with managed firewall, browser protection and every conceivable bell and whistle.

(Yes I know Symantec also produce such a product. But it requires a Windows server which would have been quite a bit more licensing expense considering all my backend infrastructure is Linux).

Re:Dumbass users..

Well I do agree with those things you said. People should have protections in place. However malware/virus/rootkits are becoming quite advanced. It's getting harder and harder to protect our systems.

We run all of our interwebs through a content filtering system, we use very effective anti-spam software and use good anti-virus protection software. A rootkit recently made its way onto one of our user's computers and I have no idea how it got there. That's not the bad part.

The bad part is that EVERY scanner I used on it was unable to find the rootkit. I used ESET, malwarebytes, spybot search and destroy, etc,etc. The one that did detect it? Windows Defender. With this type of rootkit the recommended fix is to reformt the PC which I did.

Now..I'm not saying I have the most protected systems ever..I don't. But typically we stop malware and virus before they even hit the machine. Even ones that do get through are picked up by one of our scanners.

The scariest part is that none of our typical scanners pick up this thing..and nothing I've come across can remove it. How the heck can I protect 100+ computers from something like that? Windows security, I hate to say, has become a game of Russian roulette.

No Worries

[organgtool]

That seems a harsh way to find out that your Windows machine has been rooted.

Don't worry, I'm sure the author(s) of the rootkit released a patch within 24 hours that automatically updated the infected machines to make the rootkit "compatible" with the security update.

Re:No Worries

[psyque]

and don't worry about downloading said update. They've already done it for you.

Re:No Worries

[snowraver1]

Prompt, efficient and convienient! Where can I buy this Root Kit?

Re:No Worries

[psyque]

No purchase necessary. Free delivery right to your registry.

Re:No Worries

[mmontour]

Prompt, efficient and convienient! Where can I buy this Root Kit?

Sony will sell you one although it's not 100% compatible with the industry-standard ones and it lacks the features of the rootkit described in this article. On the plus side, Sony bundles a free music CD with theirs.

(Yeah, I know they've allegedly stopped doing that. Never forgive, never forget.)

Don't worry

[wiredog]

The malware has been updated so that it won't cause a crash.

Re:Don't worry

[Megahard]

If people would keep their machines updated with the latest rootkit and virus patches then this wouldn't happen.

Re:Don't worry

Okay. So, where I can download the patch?

I wonder who else is preparing a patch...

[TheNarrator]

I wouldn't be surprised if the rootkit authors were at work on a patch for this BSOD. They will of course send it out via auto-update.

Well at least the Norfolk town IT can rest easy

[Parallax48]

Sounds like we found the explanation for the Norfolk issue:
http://news.slashdot.org/story/10/02/17/196230/Time-Bomb-May-Have-Destroyed-800-Norfolk-City-PCs-Data

Re:Well at least the Norfolk town IT can rest easy

[gimmebeer]

Drat. I came here to say this.

Be Gentle

[e2d2]

That seems a harsh way to find out that your Windows machine has been rooted.

What do you want? Some cuddling before breaking the bad news?

"Sweety.. you got rooted" .. as it goes in the _wrong_ hole.

Re:Be Gentle

Wait, there is a _wrong_ hole???

Re:Be Gentle

Wait, there is a _wrong_ hole???

The young lady fell in love with a Greek man. Before the wedding night, her mother advised her, "Now honey, remember, if he tells you to roll over, you DON'T HAVE TO DO IT."

The wedding night was a bit painful but overall a success, and the connubial bliss continued for months, but for one sore spot: Every night he asked her to roll over, and every night she refused.

Finally one night he reached the last straw. Upon being told by his wife that no, she didn't have to roll over, he pleaded with her: "But honey, don't you WANT to have CHILDREN?"

Re:Be Gentle

[Maestro485]

I'm a rootkit, and Windows 7 was my idea!

bsod

[confused+one]

That seems a harsh way to find out that your Windows machine has been rooted.

There are plenty of people who think that tracking down all the machines in these botnets and disabling them is a reasonable way of dealing with the problem.

Re:bsod

[characterZer0]

That is the only effective way of dealing with the problem.

The alternatives are to ignore the problem.

Re:bsod

I've read an article about this, it mentions the possibility of such a machine handling the life support systems in a hospital. Major lawsuit there.

Re:BSOD

[Skuld-Chan]

I haven't seen this myself - and I have a lot of Windows 7 x64 machines :/.

Re:bsod

[kent_eh]

I've read an article about this, it mentions the possibility of such a machine handling the life support systems in a hospital. Major lawsuit there.

Yeah.
A lawsuit for whoever had an internet connected machine running a life-support system and set to auto-update.

Software updates on mission-critical systems should only happen manually, and after strict auditing.
I won't even bother addressing how much of a bad idea it would be to have a life-support machine able to access (or be directly accessed from) the internet.

Re:bsod

Nobody would design a life support machine to use Windows Update directly, even if they did use an embedded version of XP, Vista, or Windows Server 2008. I do know of machines (not life support machines per se, but ones which do a specific, critical task) which might use manufacturer certified patches on a special update cycle (where the life support machine is changed out so someone isn't dependent on it). True life support machines tend to have their own embedded OS (such as LynxOS) which is designed from the ground up to have multiple failsafes, including hardware watchdog timers, multiple modules, and so on.

In any case, one of the more critical things one does in IT on production machines is to test patches out before deploying them to production. This is why WSUS was made, so administrators can verify patches on hardware identical to production machines, run smoke tests to make sure everything is working, before the patches are approved and go to the critical hardware. A sysadmin which just lets production machines autoupdate from Windows Update and ignoring the fact that machines will have downtime will become an ex-sysadmin very quickly.

If there were a lawsuit, it would be the sysadmin who shot "due diligence" to Hell and gone because he or she failed to do a basic practice, or the device maker.

I'm all for Microsoft causing BSODs for rooted machines. Of course, the car analogy comes to mind: What is worse, a car that is stalled and won't start, or one that will just ignore completely the steering wheel at random at highway speeds?

Malicious Software Removal Tool

[HTH+NE1]

So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?

Re:Malicious Software Removal Tool

[lgw]

I would hope so. But the malware removal tool runs last in the Windows Update process. I've never understood why.

Re:Malicious Software Removal Tool

[drinkypoo]

Note that this entirely insightful comment has been modded Funny, so that it will already be score 5 without the poster's karma being incremented, thus effectively preventing the karma boost. This is the new form of astroturfer mod trolling. Expect to see a lot more of it soon.

Re:Malicious Software Removal Tool

[HTH+NE1]

I don't mind getting zero karma for it. Unfortunately, there are people (including personal friends) who use their settings to treat Funny mods as a -1 or less and thus won't read it.

Re:Malicious Software Removal Tool

It doesn't matter. The system doesn't actually update core files until early in the startup process after the system reboots (look for the pendingfilerenameoperations key in the session manager area of the registry), so the utility is just as (in)effective either way. The MSRT probably doesn't have enough power to detect this rootkit, and those utilities that do get blocked. Just loading GMER causes a kernel panic when this thing is active. Updates and service packs have been breaking rootkits for a while now; I consider it a service, because the AV vendors are doing a pretty poor job IMHO.

Clean the system from an offline environment if you must, but reinstall if you can.

Re:Malicious Software Removal Tool

[initialE]

It runs _slow_. Gets to the point where many people I know purposely choose to do a shutdown w/o updates rather than "install updates and shut down".

Not tech people!

[EMG+at+MU]

"Its better they find out this way, than not at all" is not the correct reaction to this. This BOSD is going to happen to the layman a lot more frequently than a tech person. When a BSOD happens to a layman, they don't record the stop code and look it up to see what the error is. The layman will just take it to geeksquad/local tech kid/vendor tech support and say fix this its broken. They wont realize their machine was compromised. They wont change their computing habits so that their machines don't get infected in the future.

Assuming that the affected users will clean up their systems and become more secure is wishful thinking.

However (in a perfect world), if MS validated the files before patching/updating them, the user could be warned of their infection before their machine gets trashed. Maybe an error message saying "We detect that your machine is infected with a rootkit, all of your personal information is in danger of being stolen. Please install a firewall/update your browser/ run your AV". That way, instead of confusion and anger from a BSOD, the user will be educated and possibly secure their system.

Re:Not tech people!

[lgw]

Yes, your solution involving non-technical people reading the text of pop-up messages will surely work. Especially a message that looks exactly like some malware, and which they've likely been warned to ignore. The taskbar icon that was added specifically to warn people to "install a firewall/update your browser/ run your AV" didn't work, but adding yet another pop-up will surely work this time.

Re:Not tech people!

[archangel9]

Maybe an error message saying "We detect that your machine is infected with a rootkit, all of your personal information is in danger of being stolen. Please install a firewall/update your browser/ run your AV". That way, instead of confusion and anger from a BSOD, the user will be educated and possibly secure their system.

I see those words on the screen all the time. The problem is, they're delivered by cleverly-designed socially engineered Malware. The next generation of Malware will do the same thing and imitate the "new" default messages that Windows gives. How many people per day/week/month fall for the same "Your system is compromised, please click here and purchase this product" every day, regardless of the bad grammar and spelling contained in the message? As long as I've been in IT, there still isn't a good way to educate users that shirk off all personal responsibility and refuse to engage their thought processes when it comes to PCs. The world just keeps making better idiots.

Re:Not tech people!

[ColaMan]

We detect that your machine is infected with a rootkit, all of your personal information is in danger of being stolen. Please install a firewall/update your browser/ run your AV"

Typical user response:

OMG WTF IS THIS SHIT I JUST WANT TO PLAY ONLINE POKER WHAT IS MICROSOFT DOING I DONT UNDERSTAND!?!?!

Re:Not tech people!

[EMG+at+MU]

While I think all 3 of you are accurate in predicting the typical user response, I still think a message clearly indicating what is wrong is still a lot better than a BSOD. There will always be users who disregard system messages, but I believe a warning message will educate more users than a BSOD.

Re:Not tech people!

[tigerhawkvok]

You'd get mod points if I had them!

Re:Not tech people!

[BradleyUffner]

However (in a perfect world), if MS validated the files before patching/updating them, the user could be warned of their infection before their machine gets trashed.

Root kits are designed to hide their presence from the operating system. They can hook file system calls and return what looks like the proper version of the file to anything trying to read it. Once something is hooked into the machine at a low enough level the only way to detect it would be to boot from non infected start up disk and scan the infected volume.

Re:Not tech people!

Not even then, theres hypervisor PoC out there that are outside the scope of the OS

Re:Not tech people!

[jimicus]

... and for some idiot reason, only one major vendor is actually producing a ready-made Live CD which does this. (F-Secure)

BSOD

[jdcope]

Now maybe MS can figure out which update is producing the BSOD on Win7 64bit machines.

Why it happens

Come off the high horses.

We all know that an OS resides in RAM rather than ROM for the sole purpose of making rootkits (by law enforcement etc.) possible.

Don't use old software

[Scarumanga]

One solution would be to not use ancient operating systems that are 10 years old.

The un-harsh way

[hey!]

[A Microsoft representative comes to a System Admin's place of work for a little meeting.]

MR: Thanks for making time to meet with me.

SA: No problem. So what's this all about?

MR: I don't know how to say this, but it seems that you... well you aren't entirely in control of your systems.

SA: You mean you're selling a new management tool?

MR: No, no nothing like that. It's just that there are certain things... Well let's say there are things about your system that you don't know that you really ought to be aware of.

SA: Oh, I see. You mean like undocumented registry settings, or DLLS or stuff like that.

MR: Well, sure. Technically you *could* describe it that way. It's only....

SA: Only what? How would *you* describe it.

MR: *sigh*. OK. Some Chinese hacker working for the Russian mob has been using you as his bitch.

Re:Surprisingly their QA labs are not infected

[Dan+Ost]

I'm not. They probably wipe and reinstall all their lab machines every time they test.

Good Job, Microsoft!

[Culture20]

And I mean that sincerely. Please BSOD more botnets.

But the fix will break Alureon!

[John+Hasler]

> Users affected by this problem can fix it by replacing the infected driver
> with a new one via the system console.

But that would break Alureon! Is an update available for it?

Re:But the fix will break Alureon!

[Pyrus.mg]

As mentioned above if you are an Alureon user an update has already been surreptitiously deployed to your pc and you can safely let Microsoft secure your system without losing any Alureon functionality.

Last October, Dude

[westlake]

So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?

Virus:Win32/Alureon.A Definition: 1.69.77.0 Released: Oct 23, 2009

Zero-day

This was a zero-day exploit that the virus writers didn't know anything about.

They got the patch out as quickly as they could.

Re:Zero-day

[shutdown+-p+now]

See? Many eyeballs do make bugs shallow!

I remember....

some dude saying that Microsoft products were safer because of people getting paid for and that kind of crap......i would like to see his face now

Finding out you were rooted

[stiggs]

Is a value in and of itself. I have even more sympathy for those who have another rootkit, and have yet to find out, than I do for those who had a BSOD which caused them to either a) stop using their computer entirely and reformat or b) fix the BSOD and rootkit. Actually I have plenty of sympathy for both since I don't use Windows at all.

Re:Finding out you were rooted

Not using windows is hardly a protection against rootkits.

Why Isn't There A Good Botnet That Kills

bad botnets?

Hackers want to know.

Yours In Karachi,
K. Trout

You don't have to.

[khasim]

All you need to do is verify that the files on the drive are the files released by the vendor(s). An extra step would be to make sure that they're the most recently patched versions as well.

That can be done with a bootable Linux CD and a list of the various files, their locations and different checksums of each of them.

Anything that isn't on that list is suspect and can be quarantined.

The advantage of a system like that is that it is easy to use to spot even unknown rootkits.

Re:You don't have to.

[Anpheus]

You're missing the point, unverified code is insecure code. Whether that's Windows or Linux.

For example, can you prove without a doubt that there exists no kernel or kernel module flaw that could result in running arbitrary code from an innocuous file on the filesystem at boot time? No, not even close. There's simply no way you could make that claim.

While it's improbable that such flaws exist in the Linux kernel, it's entirely possible. It's possible that there exists a flaw that allows hijacking a running kernel over the network and so the rootkit could exist purely in memory, relying on the resilience of the network to maintain its presence.

My point was simply that claiming Windows is difficult to secure are ignoring that the the competition is only secure because it's less in the bullseye. Linux isn't any more provably secure than Windows, a statement that's as true as it is regrettable. It'd be -fantastic- if Linux were written to a spec and machine verified. It'd also be an absurdly difficult enterprise that could cost hundreds of millions of dollars and would stall the kernel development for so long that it'd become obsolete.

Re:You don't have to.

[cusco]

"a bootable Linux CD"

Work in the real world much? The network that I'm currently plugged into has 69,000 workstations on it, and 27,000 servers, plus another couple thousand ancillary computers like DVRs and cash registers (yes, they all run Windows). The hospital that I'm going to be working at tomorrow has over 1200 nodes on its network of which at least a hundred are considered non-rebootable life-safety systems (yes, almost all of those are Windows). That brilliant idea might work at your home office, but out here where the rest of us work it would get you laughed out of your job interview.

Re:You don't have to.

[Locutus]

good points but I really would not worry about someone laughing at you when they have put Windows on life-safety system or any mission critical system.

LoB

Re:You don't have to.

Windows is not rated for life-critical situations. Oh wait, you mentioned life-safety, not life-critical. Makes sense then right!?

There are hospitals that are entirely shifting to Linux. I recently got asked by a doctor, chief of the Radiology dept., if I could come an install some new medical imagery system running on Linux only, "because our IT staff only knows Windows".

I have no problem getting laughed at by fools.

If you have 69 000 workstations and 27 000 servers then this screems millions and millions in yearly savings by switching to some virtualized infrastructure.

Tech savvy companies like Google, IBM and Oracle aren't exactly in love with Microsoft products.

The fact that you've got a 69 K workstations and 27 K servers Microsoft only only shows that incompetent tech-unsavvy people made decisions. No problems getting laughed at by such fools.

Re:You don't have to.

Unless that customer happens to be Microsoft . . .

What do you mean "Windows is not rated for life-critical situations"??? AFAIK there isn't any over-arching entity in charge of telling the thousands of hospitals and clinics worldwide what software they're allowed to run. There'd be a hell of a lot of pissed off vendors if there were.

Re:You don't have to.

[tehcyder]

I really would not worry about someone laughing at you when they have put Windows on life-safety system or any mission critical system.

Do you not think it is just possible that properly administered Windows systems actually work reliably? Or do you think MS bribes all the hospitals using these systems so they don't report the hourly crashes/reboots which you no doubt think must be happening?

Re:You don't have to.

Tards put sigs in the body instead of the sig field. In fact, only tards use a sig at all.

Re:You don't have to.

[tivoKlr]

Really? Windows works reliably in a hospital setting? Wonder why my XP based GE Ultrasound machine crashes all the time, and bluescreens occasionally...funny how the older unit I have made by Acuson that runs a flavor of unix seems rock solid. The GE has been restored using ghost to factory settings and still fails from time to time. LAME.

The first time I saw my GE bluescreen in the middle of a study and realized it was running Windows I almost puked.

Re:You don't have to.

[Locutus]

Do you not think it is just possible that properly administered Windows systems actually work reliably? Or do you think MS bribes all the hospitals using these systems so they don't report the hourly crashes/reboots which you no doubt think must be happening?

no, I don't think that is possible. But, I do accept that there are random systems which for some strange reason keep running longer than they should.

LoB

Re:You don't have to.

[Anpheus]

You almost puked that GE took the lowest common denominator OS to program for, likely paid some outsourced tech firm to write the bare minimum code to write the driver, and it has bugs that are so bad that they cause blue screens?

Yeah, I guess that'd make me feel queasy in a doctor's office too.

Well look at it this way, at least they didn't use underpaid, underqualified programmers to make Linux have kernel panics. That'd just be horrible.

Re:You don't have to.

Strange meaning they actually work fine just like many Windows machine. Stop being a dumbass.

Microsoft's Malicious Software Removal Tool

[QuietLagoon]

Doesn't it work?

When is it not harsh?

[multimediavt]

That seems a harsh way to find out that your Windows machine has been rooted.

I don't know about anyone else, but I would think that any way you find out your machine is rooted is going to be harsh. Sure, the not booting thing is annoying (still don't know why Windows or Intel/AMD chpsets don't support a Target Disk Mode for events like this), but finding out that someone else has had free reign over your machine for who knows how long (whether it is currently booting or not) is a harsh reality.

Re:Surprisingly their QA labs are not infected

[ashridah]

That's pretty much the case for the labs. We roll out updates internally first to give them a bit of a bash to watch out for issues, but 30k+ systems is not the same as a worldwide launch. Additionally, there aren't really that many user-grade XP systems left here, for obvious reasons.

Microsoft: Listen Up, We Want To Love You

"Microsoft Confirms Update-Linked BSODs Required Compromised Machines"

Were any of the "infected" computers with the Windows Operating System installed
also running Microsoft's free antivirus software? If so, did they detect this
rootkit and disinfect the machines? Or, as I assume based on my experiences with
Microsoft's software and popular antimalware software, did it NOT DETECT IT?

Why are so many commercial and free antimalware offerings failing to detect
so many new and old rootkits? Some of the nastiest rootkits, some kicking around
now for several years, cannot be detected by many of the free and commercial
offerings. Only when the user downloads a program like "gmer" they often discover
their machine is rootkitted. But sadly, programs like gmer do not remove the
rootkit. We're seeing more and more rootkits targeting the BIOS and PCI cards,
are there backroom deals involved here? Remember the Sony BMG rootkit and how
the antiviruses failed to detect it when it arose, even following many months
of this problem being shouted across the web?

Tell us, Microsoft, did your free antivirus software protect against this threat
and are you doing what you should be doing, employing people to lurk on blackhat
sites and discover any and all rootkit threats which exist and add detection
for these terrible tools? We need the OS to especially protect against BIOS
and PCI rootkits which are becoming more popular as time goes by. The OS should
protect against any program flashing to hardware (how is Joe Public going to
determine whether or not his Nvidia card has been rooted?) especially the
BIOS.

There is no excuse for companies as large as Microsoft to not find and remove
rootkits, with or without separate programs free or commercial. I want to use
Windows, Microsoft, but experiences like this and previous with rootkits is
turning me off.

The network doesn't lie...

[gravyface]

Setup a non-transparent proxy, push out proxy settings to all your users (with GP or whatever, or do it manually), drop egress Web/IRC traffic. Now sit back and watch your firewall logs for alerts (or better yet setup syslog-ng or Kiwi Syslog Server to send you alerts) -- anything banging against the firewall is something you need to look at. Why? Because malware is rarely proxy-aware -- it assumes (rightfully so) that people either use transparent proxies or have no outbound filtering setup so when it tries to phone home, it'll make a lot of noise.

Re:The network doesn't lie...

[AnEducatedNegro]

and for the malware that uses internet explorer's api to make its runs?

-aEN

Re:The network doesn't lie...

[gravyface]

There's malware out there that *removes* your proxy settings (and sets up it's own, as well as hijacks your DNS), but why would the malware write bulky, GUI-restricted, security-warning-pop-up laden code to use IE when a tiny curl binary would be so much more effective? It's all about the lowest common denominator: most companies *dont'* block egress traffic, period, and those that do use proxies, tend to use transparent ones.

Re:The network doesn't lie...

[AnEducatedNegro]

what i am saying is that you are naive for assuming that your silly suggestion of hardcoding a proxy will solve the problem. you completely ignore the fact that there is a gaping hole in your security recommendation by trivializing the design option of a malware author.

by the way, you can import the "bulky" IE COM ojbect and use it without a gui and without security-warning pop ups because, you know, the malware author didn't decide to put the gui and security warnings in his code. oh and the IE COM object (a) makes it harder to detect since it could just be a legitimate user using IE, (b) IE is tried and tested, a malware's http stack could be buggy, leave identifying footprints, (c) saves the malware author time from reinventing the wheel.

in security it is *ALSO* about the lowest common denominator. great woohoo, you can stop malware that doesn't follow the rules of your network. you cannot ignore malicious software that does follow the rules of the network. you're fooling only yourself if you believe malware can't evolve (did we not realize this the first time when a virtualized rootkit was as powerful as the first offerings of vm software?)

-aEN

Re:The network doesn't lie...

[gravyface]

Just because you *can* do something, doesn't mean it's a good idea... or even necessary. My point is that why would they bother? The majority of malware out there is a) not proxy-aware b) doesn't use IE COM objects because... wait for it... they don't _have_ to. Again, this is because most companies have no egress filtering and/or use transparent proxies. Did I say that this method is a 100% foolproof anti-malware silver bullet? Of course not, if a skilled blackhat wants to own you, they will, and it's not going to be through some common denominator botnet/keylogger/rootkit malware, it's going to be likely through social engineering. I make no statement about malware not evolving, because it will, and some day, my methods will no longer be effective, but I stand by these methods now because they currently work.

The chilling part...

[PNutts]

...is that the rootkit's version went from 3.25 (unpatched) to 3.26 (patched). That's a lot of versions we didn't know about.

Not buying the reasons

[Spiked_Three]

I do not totally buy it. I have a Windows server that has been running for many years just fine. It is inside my house behind a Broadband router and has very little and very occasional access to the internet. It may have had a rootkit, I do not deny, but I kinda of doubt it, but it is possible. After the Tuesday updates the machine crashed several times - at least 4 that I am aware of, then stopped crashing. I am to believe that the rootkit got itself updated and is now happily running again? What is this root kit doing? I monitor/watch my internet traffic fairly close because I am on a satelite connection with bandwdith caps, and I don't really see any traffic from or to this server, so if that's all the root kit does, let it have its way.

No what really happened is Microsoft screwed up an update more than usual, and they are now to trying to write it off and blame it on something else. The same week they put out a miserable Zune update that caused my Zune to find its way to the trash can.

Re:Not buying the reasons

[wampus]

Or maybe your issues have nothing to do with this update or the rootkit.

Re:Not buying the reasons

[jmac_the_man]

The same week they put out a miserable Zune update that caused my Zune to find its way to the trash can.

The last update to the Zune HD firmware was in November. The most recent update to non-HD Zunes was in September. The problem they're talking about happened in February. We're probably not talking about the same issue.

Re:Not buying the reasons

[Spiked_Three]

Its very possible, even probable that is the update that I applied this week, as that is about how often I plug my Zune in for anything other than a recharge. But it definitely did a firmware update, and then proceeded to delete my entire music library on my server and the Zune when I told it to delete one album I never listen to. As far as my perception, it happened the same week, but you are right, it very well may have been an older update.

Re:Not buying the reasons

[miffo.swe]

Well, one possible explanation would be that this rootkit snuck into one or more of Microsofts update servers. Wouldnt surprise me at all actually. Microsoft would never ever acknowledge something like that or tell the outside world.

Re:Not buying the reasons

Proof plx.

Re:rooted?

Mine does. Hard to guess the password for Administrator when the account is disabled.

Re:Most effective mechanism for making a safer 'ne

[juventasone]

Some ISPs notify their customers if they're participating in a botnet, and cut their service is nothing is done about it. They're only doing it out of their own interest, but I wouldn't mind federal governments making this mandatory.

This isn't the first time that an update from Microsoft breaks an infected PC. It's not something they plan or test for, nor should they.

Windows and rootkits, like water and wetness

[noidentity]

That seems a harsh way to find out that your Windows machine has been rooted.

But you repeat yourself. Windows machine. 'nuff said.

Dual Boot Linux

Linux is so easy now, just dual boot and do banking from Linux. Then your worries would be much reduced.

Cool

Worth it to find out your machine was compromised.

Rootkit problem easy to solve

Just burn the OS to ROM---problem solved.
Of course, that would also prevent "white hat" root kits, and the OS manufacturer would have to stop "churning" the product and get the bugs out.

It's these widespread rootkits

[kungfuj35u5]

which affect everybody that make me consider more and more everyday to do egressive filtering on my external firewall. Granted, I'm usually the only one using my machine and I typically am careful with my browsing habits on any platform (linux, freebsd, solaris or windows; javascript can be nasty). Stuff like this makes me feel really vulnerable on my windows based machines, though.

Stop Dancing Around the Real Issue

[Whatchamacallit]

Oh for the love of Pete! Microsoft is MOST DEFINITELY RESPONSIBLE for rootkits! Sure, their patch is not the direct cause of the BSOD but letting the damn malware into the OS certainly is the real problem. Stop dancing around the spin and address the real problem for once!

It is possible for malware running on a limited user account to execute on Windows and bootstrap itself into place via the HKLM registry where is should not be allowed to write. In addition, it can place executables into C:\Windows\System32 where it should also not be allowed to write or replace files. Next, malware can actually inject code into WINLOGON.EXE while it's running in RAM. Now you must ask yourself, WHAT THE FRAK?!?!

The Zeus bot tool can be downloaded by any luser without a clue to build a custom rootkit via a Win32 Wizard for crying out loud! The bots produced with such a tool incorporate encryption both for the malware files as well as phoning home to the botnet itself. AV software cannot stop it! Once you are rooted, you machine is now owned by the botnet. Even Symantec, McAfee and Kaspersky have had their own computers infected by bots produced by Zeus!

Running around the security perimeter trying to fight off the hoard after the fact, is futile.

Repeat After Me:

- Windows Cannot Be Secured!
- Windows is Insecure!
- Windows is a Security Hazard!
- TIME TO GET OFF WINDOWS!

Yeah it's going to cost you big time, but it's going to cost a whole lot more if corporations don't start acting soon! Many companies have been hacked and the hackers are going after the financial staff, gaining access to online bank accounts and stealing tens of thousands of dollars! Most business banks provide no recourse nor protection if someone else logs in with your account and wires money to a third world country.