Microsoft Confirms Update-Linked BSODs Required Compromised Machines

Trailrunner7 writes "Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit. There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit." That seems a harsh way to find out that your Windows machine has been rooted.

But better than not finding out at all.

[dmgxmichael]

Now, I wonder who the first poster is going to be to demand Microsoft test their patches for compatibility with viruses and malware?

Re:But better than not finding out at all.

[bigredradio]

First post...that would be you sir.

Re:But better than not finding out at all.

[Johnno74]

Wow, nice way to find/create an anti-ms slant on the story. I can respect people who bash microsoft if they know what they are talking about, but you clearly don't so no biscut.

Prolems with your theory:

1) Microsoft updates don't patch files. They replace them. Probably to avoid the issues you assume are happening here (even though they aren't). I'll excuse you for not knowing this.

2) The file that the rootkit infects isn't the file affected by the patch. The file MS patched WAS 100% clean. The rootkit was either modifying or calling the patched file using a static offset. After the patch this offset was no longer correct and the rootkit caused a bluescreen when it used it.

3) Even if the patch was a delta and not a whole file, and the file to be patched was the infected file, and if the patch _did_ checksum the file first then the checksum would not have revealed anything was wrong. Do you even know what a rootkit is? A rootkit, by definition cloaks itself by modifying the OS so system calls will not reveal the rootkit. Read the file where the rootkit resides and the rootkit will intercept this and return the original file contents, sans rootkit.

Re:But better than not finding out at all.

[dhavleak]

I think that award goes to to Timothy -- our fearless fudding editor. I mean, consider how he ended TFA: "That seems a harsh way to find out that your Windows machine has been rooted.".

Alright, maybe that's a harsh assessment, but after countless other posts like this I'm not inclined to give him the benefit of doubt. Let's recap:
1. The Alureon rootkit isn't new, and should be detected by any AV worth it's salt
2. That being the case, affected users were not running AV, or were infected before they installed their AV.
3. Affected users are running a 10-year old OS.
4. More recent OSes (64-bit Vista and Win7) have inbuilt measures that render Alureon ineffective (PatchGuard - which checks for signatures on kernel modules).
5. 32-bit Vista and Win7 would be immune as well if the AV cartel had not threatened to approach the DOJ with antitrust complaints if MS implemented PatchGuard in the 32-bit versions.
6. MS has made online scanning tools, a malware removal tool, and a free AV/security suite (MS security essentials) that any of the affected users could have used, prior to the update, and they would have been fine.

So now, short of forcibly enrolling users in "install and run AV 101", what else could you be calling for, Mr. Timothy (editor) when you say that you think this is a particularly harsh way to find out that you've been infected? What the fuck else do you think MS should do? Go back in time, and fucking add patch guard to XP before they release it? I'm really fucking interested in hearing your opinion on this.

Re:But better than not finding out at all.

[smash]

I have no problem with patches bluescreening rooted boxes. If your box is rooted, the only way to e sure to fix it is a reinstall - having patches try to work around rootkit installs is retarded. If you don't know you're rooted, then too bad. Learn to maintain your pc/network.

Not that harsh

[bigredradio]

Yeah a BSOD is harsh, but finding your bank account mysteriously drained of funds is more harsh. At least they found out.

Better than not knowing that you've been rooted

[jandrese]

The bluescreen may be painful, but it is far less painful than having your information stolen by criminals. Assuming of course the people who own the machines are savvy enough to properly install their firewalls and virus protection next time.

Re:Better than not knowing that you've been rooted

[Locutus]

it was probably about 6 years ago when a number of goverment offices American Express, and others including CNN had their computers BSODing. CNN even stayed on the air for a few hours just talking about how the computers were all rebooting. The cause of that was that the computers were part of a botnet and an update to the botnet caused BSODs.
In plain language, many government computers and businesses computers have been infected without them knowing it. And as I mentioned, large companies with financial ties like American Express. You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

Now I wonder if this is what took out all those Norfolk VA computers. The ones which it was said that they don't think it was something they got off the internet but in the same breath said they don't know what caused it or how it got there.

LoB

bsod

[confused+one]

That seems a harsh way to find out that your Windows machine has been rooted.

There are plenty of people who think that tracking down all the machines in these botnets and disabling them is a reasonable way of dealing with the problem.

Re:bsod

I've read an article about this, it mentions the possibility of such a machine handling the life support systems in a hospital. Major lawsuit there.

Re:bsod

[kent_eh]

I've read an article about this, it mentions the possibility of such a machine handling the life support systems in a hospital. Major lawsuit there.

Yeah.
A lawsuit for whoever had an internet connected machine running a life-support system and set to auto-update.

Software updates on mission-critical systems should only happen manually, and after strict auditing.
I won't even bother addressing how much of a bad idea it would be to have a life-support machine able to access (or be directly accessed from) the internet.

Re:Malicious Software Removal Tool

[lgw]

I would hope so. But the malware removal tool runs last in the Windows Update process. I've never understood why.

Re:Not tech people!

[lgw]

Yes, your solution involving non-technical people reading the text of pop-up messages will surely work. Especially a message that looks exactly like some malware, and which they've likely been warned to ignore. The taskbar icon that was added specifically to warn people to "install a firewall/update your browser/ run your AV" didn't work, but adding yet another pop-up will surely work this time.

Re:Not tech people!

[archangel9]

Maybe an error message saying "We detect that your machine is infected with a rootkit, all of your personal information is in danger of being stolen. Please install a firewall/update your browser/ run your AV". That way, instead of confusion and anger from a BSOD, the user will be educated and possibly secure their system.

I see those words on the screen all the time. The problem is, they're delivered by cleverly-designed socially engineered Malware. The next generation of Malware will do the same thing and imitate the "new" default messages that Windows gives. How many people per day/week/month fall for the same "Your system is compromised, please click here and purchase this product" every day, regardless of the bad grammar and spelling contained in the message? As long as I've been in IT, there still isn't a good way to educate users that shirk off all personal responsibility and refuse to engage their thought processes when it comes to PCs. The world just keeps making better idiots.

Re:Good

[mlts]

Even better, it gets the machine off the net, so other people are not victims of DDoS attacks, spam, automated scans, and other crap that might come from a botnet client.

I admit I sound like a jerk here, but I'd rather have a machine with a BSOD than a rootkitted box. Reinstalling or reimaging a machine may be a bit time consuming, but it is nowhere the time it would take to recover access to compromised bank accounts, Web accounts, gaming, and dealing with identity theft issues.

Good Job, Microsoft!

[Culture20]

And I mean that sincerely. Please BSOD more botnets.

Re:Dumbass users..

[X0563511]

and haven't gotten a virus, rootkit, or other miscellaneous malware in years. ... that made itself known.

Re:Dumbass users..

[smash]

Symantec is shit. Users should not have admin on business machines. They should also not be going out via unfiltered internet connection to whatever dodgy website they like and mail should be screened for questionable content. If you think that this sort of thing wouldn't be happening on Linux (or anything else) if it had so many clueless users in business settings using the product - you're deluded.

Re:You don't have to.

[Locutus]

good points but I really would not worry about someone laughing at you when they have put Windows on life-safety system or any mission critical system.

LoB

Dual Boot Linux

Linux is so easy now, just dual boot and do banking from Linux. Then your worries would be much reduced.

Re:You don't have to.

[tehcyder]

I really would not worry about someone laughing at you when they have put Windows on life-safety system or any mission critical system.

Do you not think it is just possible that properly administered Windows systems actually work reliably? Or do you think MS bribes all the hospitals using these systems so they don't report the hourly crashes/reboots which you no doubt think must be happening?