Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Confirms Update-Linked BSODs Required Compromised Machines

Posted by timothy on from the calling-that-glass-half-full-takes-chutzpah dept.

Trailrunner7 writes "Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit. There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit." That seems a harsh way to find out that your Windows machine has been rooted.

32 of 199 comments (clear)

  1. But better than not finding out at all. by dmgxmichael · · Score: 5, Insightful

    Now, I wonder who the first poster is going to be to demand Microsoft test their patches for compatibility with viruses and malware?

    1. Re:But better than not finding out at all. by Anonymous Coward · · Score: 5, Funny

      The rootkitted library was not a part of the update, just one of the libraries it was using. You should demand that your rootkit vendor stick to published APIs to avoid this in the future.

    2. Re:But better than not finding out at all. by TubeSteak · · Score: 4, Informative

      Don't worry, it looks like the malware authors have already rushed out an update for their rootkit
      http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html

      --
      [Fuck Beta]
      o0t!
    3. Re:But better than not finding out at all. by lgw · · Score: 4, Informative

      Actually, they do. However, Windows Update will apply patches before doing malware removal - I've never quite understood why that was the preferred order.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    4. Re:But better than not finding out at all. by Johnno74 · · Score: 3, Insightful

      Wow, nice way to find/create an anti-ms slant on the story. I can respect people who bash microsoft if they know what they are talking about, but you clearly don't so no biscut.

      Prolems with your theory:

      1) Microsoft updates don't patch files. They replace them. Probably to avoid the issues you assume are happening here (even though they aren't). I'll excuse you for not knowing this.

      2) The file that the rootkit infects isn't the file affected by the patch. The file MS patched WAS 100% clean. The rootkit was either modifying or calling the patched file using a static offset. After the patch this offset was no longer correct and the rootkit caused a bluescreen when it used it.

      3) Even if the patch was a delta and not a whole file, and the file to be patched was the infected file, and if the patch _did_ checksum the file first then the checksum would not have revealed anything was wrong. Do you even know what a rootkit is? A rootkit, by definition cloaks itself by modifying the OS so system calls will not reveal the rootkit. Read the file where the rootkit resides and the rootkit will intercept this and return the original file contents, sans rootkit.

    5. Re:But better than not finding out at all. by ashridah · · Score: 3, Interesting

      When the rootkit has complete, unrestricted access to the system, *it can do anything it wants*. there really isn't a way to stop it, unless you've forced it into a lower-security prison (aka, user-level).

      If it wants to pick a random memory address that it's hard coded and jump to it, it can do it. the cpu's not going to stop it, and windows is not responsible for fixing that. You may as well ask for the linux kernel to stop a rootkit module from rewriting the software interrupt vector tables and hooking into system calls. If it has write-anywhere memory level access (and it does, it's in the kernel during initialization, launched by root), then it can write bytes to memory, anywhere it chooses. if you then upgrade to a kernel with a different system call table layout due to an improvement, and the malware doesn't self-correct? boom!

      Now, solutions to this involve things like virtualization and sandboxing, but we're not quite there yet. I wouldn't actually mind seeing an operating system take advantage of VT and other things to produce an OS with a secure core, that self-verifies and only accepts signed updates.

    6. Re:But better than not finding out at all. by dhavleak · · Score: 3, Insightful

      I think that award goes to to Timothy -- our fearless fudding editor. I mean, consider how he ended TFA: "That seems a harsh way to find out that your Windows machine has been rooted.".

      Alright, maybe that's a harsh assessment, but after countless other posts like this I'm not inclined to give him the benefit of doubt. Let's recap:
      1. The Alureon rootkit isn't new, and should be detected by any AV worth it's salt
      2. That being the case, affected users were not running AV, or were infected before they installed their AV.
      3. Affected users are running a 10-year old OS.
      4. More recent OSes (64-bit Vista and Win7) have inbuilt measures that render Alureon ineffective (PatchGuard - which checks for signatures on kernel modules).
      5. 32-bit Vista and Win7 would be immune as well if the AV cartel had not threatened to approach the DOJ with antitrust complaints if MS implemented PatchGuard in the 32-bit versions.
      6. MS has made online scanning tools, a malware removal tool, and a free AV/security suite (MS security essentials) that any of the affected users could have used, prior to the update, and they would have been fine.

      So now, short of forcibly enrolling users in "install and run AV 101", what else could you be calling for, Mr. Timothy (editor) when you say that you think this is a particularly harsh way to find out that you've been infected? What the fuck else do you think MS should do? Go back in time, and fucking add patch guard to XP before they release it? I'm really fucking interested in hearing your opinion on this.

    7. Re:But better than not finding out at all. by Pharmboy · · Score: 3, Funny

      Now, I wonder who the first poster is going to be to demand Microsoft test their patches for compatibility with viruses and malware?

      To be fair, Microsoft is year ahead of Linux in this area. Linux isn't compatible with almost every kinds of virus/malware. Wine is helping by providing the APIs needed for some malware, but Linux (iptables in particular) still interferes with the proper operation of some of these programs. Like it or not, if you want to run these malware programs reliably, you should stay away from Linux. At least Microsoft lets you run *most* of these viruses after an update.

      --
      Tequila: It's not just for breakfast anymore!
    8. Re:But better than not finding out at all. by smash · · Score: 3, Informative

      Maybe because if you're not patched, you'll often get re-infected before the update is completed?

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    9. Re:But better than not finding out at all. by smash · · Score: 3, Insightful

      I have no problem with patches bluescreening rooted boxes. If your box is rooted, the only way to e sure to fix it is a reinstall - having patches try to work around rootkit installs is retarded. If you don't know you're rooted, then too bad. Learn to maintain your pc/network.

      --
      I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
    10. Re:But better than not finding out at all. by poena.dare · · Score: 4, Funny

      Dear Microsoft:

      Please continue to turn off user's computers which are compromised. If at all possible, please display a message directing anyone in my zip code that I'm available to fix it for them at competitive prices. I really need the work.

    11. Re:But better than not finding out at all. by jonadab · · Score: 3, Interesting

      He didn't demand anything of the kind. He only suggested it, if anything in a way that implied it would be an unreasonable expectation. Which it would be, because, frankly, once you become aware that a system has a rootkit installed, the only sane thing to do is a complete format and reinstall.

      Well, you can do some forensics first if you want, and maybe copy off some data (if you're careful about how you do it so as not to infect any system you copy it to). But you're going to boot from known-clean (and, preferably, read-only) media to do those things, NOT from the known-infected system. (A LiveCD is what I would recommend for such post-mortem activities.) If you want to actually boot from and use the infected system again, it needs a clean reinstall first, period. Do not pass go, do not collect two hundred dollars. Booting from the infected system is highly inadvisable and much worse than useless, because the system is compromised. Only someone who doesn't know any better due to a complete lack of understanding of security issues would even consider doing that.

      So personally I don't see how this way of finding out is any more brutal than any other way of finding out. Continuing to use the system, even though it has a rootkit, wouldn't be a reasonable course of action anyway. Nobody who understands security would do that, and nobody else *should* either.

      (Unless you're operating some kind of firewalled-garden virtualized honeypot network for the express purpose of studying how infections spread, but in that case you wouldn't be deploying the patch. I suppose if you were doing a controlled study on the effectiveness of the patch... but we're now DEEP into the realm of purely hypothetical problems with no real-world impact whatsoever.)

      If we were going to criticize Microsoft here, it would be for other things, such as how long it took them to deliver the patch once the issue was reported. (I don't happen to know how long it was in this instance, BTW; I wasn't following this particular vulnerability very closely.)

      Assuming it's true that the patch only causes problems on already-rootkitted systems (and I haven't seen anyone claim the contrary), then that's not really a meaningful flaw in the patch, IMO. Those systems were already toast anyway. How well does the patch work on systems that hadn't been infected? That's what matters.

      --
      Cut that out, or I will ship you to Norilsk in a box.
  2. Not that harsh by bigredradio · · Score: 5, Insightful

    Yeah a BSOD is harsh, but finding your bank account mysteriously drained of funds is more harsh. At least they found out.

    --
    Flexible bare-metal recovery for Linux/UNIX
  3. Better than not knowing that you've been rooted by jandrese · · Score: 4, Insightful

    The bluescreen may be painful, but it is far less painful than having your information stolen by criminals. Assuming of course the people who own the machines are savvy enough to properly install their firewalls and virus protection next time.

    --

    I read the internet for the articles.
    1. Re:Better than not knowing that you've been rooted by Locutus · · Score: 4, Insightful

      it was probably about 6 years ago when a number of goverment offices American Express, and others including CNN had their computers BSODing. CNN even stayed on the air for a few hours just talking about how the computers were all rebooting. The cause of that was that the computers were part of a botnet and an update to the botnet caused BSODs.
      In plain language, many government computers and businesses computers have been infected without them knowing it. And as I mentioned, large companies with financial ties like American Express. You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

      Now I wonder if this is what took out all those Norfolk VA computers. The ones which it was said that they don't think it was something they got off the internet but in the same breath said they don't know what caused it or how it got there.

      LoB

      --
      "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
    2. Re:Better than not knowing that you've been rooted by bertok · · Score: 4, Informative

      it was probably about 6 years ago when a number of goverment offices American Express, and others including CNN had their computers BSODing. CNN even stayed on the air for a few hours just talking about how the computers were all rebooting. The cause of that was that the computers were part of a botnet and an update to the botnet caused BSODs.
      In plain language, many government computers and businesses computers have been infected without them knowing it. And as I mentioned, large companies with financial ties like American Express. You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

      Oh, I assure you, they know about it. They're just too incompetent to do anything about it.

      I was once at a large bank, and I was warned not to plug my laptop into the bank's network. At first I was thinking "this must be for security reasons, they clearly don't (and shouldn't) trust some random consultant's laptop on their network", but then I was told that it was for my own protection. Apparently the bank network was so lousy with viruses that a laptop without the latest patches would last only minutes before it was rooted. I keep my work laptop patched, so I did plug in. I ran Wireshark for a few minutes, which detected about a dozen hack attempts on my machine. On top of this, many of their servers were running ancient versions of windows, many at RTM patch levels. I suspect they were all infected, but I didn't have a chance to look into it.

      It's not just one or two financial institutions, from what I gather, many of the larger ones have infections.

      This is what excessive bureaucracy does to IT: the amount of paper work required to approve a patch is so onerous that IT managers simply don't patch servers. The paper work is meant to prevent the minor problem of 'unapproved' patches causing disruptions, but the end result is even worse, which is unpatched machines with rampant infections.

  4. Most effective mechanism for making a safer 'net by Nzimmer911 · · Score: 5, Interesting

    I think that this approach should become the industry standard for retaliation against malware. What better way to force complacent users to cleanup their machines than to disable them? Less botnets = more bandwidth for the rest of us.

  5. Don't worry by wiredog · · Score: 5, Informative

    The malware has been updated so that it won't cause a crash.

    --

    Best Slashdot Co
    1. Re:Don't worry by Megahard · · Score: 3, Funny

      If people would keep their machines updated with the latest rootkit and virus patches then this wouldn't happen.

      --
      I eat only the real part of complex carbohydrates.
  6. Be Gentle by e2d2 · · Score: 4, Funny

    That seems a harsh way to find out that your Windows machine has been rooted.

    What do you want? Some cuddling before breaking the bad news?

    "Sweety.. you got rooted" .. as it goes in the _wrong_ hole.

    1. Re:Be Gentle by Anonymous Coward · · Score: 3, Funny

      Wait, there is a _wrong_ hole???

  7. Re:No Worries by snowraver1 · · Score: 4, Funny

    Prompt, efficient and convienient! Where can I buy this Root Kit?

    --
    Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
  8. Malicious Software Removal Tool by HTH+NE1 · · Score: 5, Funny

    So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?

    --
    Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
    1. Re:Malicious Software Removal Tool by lgw · · Score: 3, Insightful

      I would hope so. But the malware removal tool runs last in the Windows Update process. I've never understood why.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  9. Re:Broaden their test base by zappepcs · · Score: 3, Funny

    Just have patches issued by McAfee and Symantec... that will fix the problem, for certain.

    --
    Support NYCountryLawyer RIAA vs People
  10. Re:Not tech people! by lgw · · Score: 3, Insightful

    Yes, your solution involving non-technical people reading the text of pop-up messages will surely work. Especially a message that looks exactly like some malware, and which they've likely been warned to ignore. The taskbar icon that was added specifically to warn people to "install a firewall/update your browser/ run your AV" didn't work, but adding yet another pop-up will surely work this time.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  11. Last October, Dude by westlake · · Score: 3, Informative

    So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?

    Virus:Win32/Alureon.A Definition: 1.69.77.0 Released: Oct 23, 2009

  12. Zero-day by Anonymous Coward · · Score: 5, Funny

    This was a zero-day exploit that the virus writers didn't know anything about.

    They got the patch out as quickly as they could.

  13. Re:Not tech people! by BradleyUffner · · Score: 3, Informative

    However (in a perfect world), if MS validated the files before patching/updating them, the user could be warned of their infection before their machine gets trashed.

    Root kits are designed to hide their presence from the operating system. They can hook file system calls and return what looks like the proper version of the file to anything trying to read it. Once something is hooked into the machine at a low enough level the only way to detect it would be to boot from non infected start up disk and scan the infected volume.

  14. Re:Dumbass users.. by jimicus · · Score: 4, Interesting

    48 hours ago I was notified of a laptop with a rootkit.

    And I can tell you now, that laptop wasn't running slowly.

    It wasn't redirecting web requests.

    It wasn't doing any of the things you might associate with rootkits. Yet replacing the AV with an alternate product and the alternate product detected several real issues.

    Frankly, if I hadn't been notified by our bank (whose security company had managed to get a site shutdown and get a list of all potentially compromised accounts) I would never have had a clue. I concede that the user had admin privs on their laptop but I'm given to understand that even that isn't a huge barrier to a lot of modern rootkits. Thank Christ the bank in question doesn't allow you to do anything without the use of a separate security device they ship you.

    Talk about a rock and a hard place. I can't trust the laptop at all, and it was infected while running a regularly-updated copy of Symantec AV Enterprise which suggests I can't necessarily rely on AV software to do what it says on the tin. Windows is obviously a lost cause unless I want to spend the rest of my live playing whack-a-mole yet I don't think the Powers that Be will stomach a move to Linux (even though most of them haven't used Windows-specific software in years).

    Answers on the back of a postcard....

  15. Re:Dumbass users.. by X0563511 · · Score: 3, Insightful

    and haven't gotten a virus, rootkit, or other miscellaneous malware in years. ... that made itself known.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  16. Re:You don't have to. by Locutus · · Score: 3, Insightful

    good points but I really would not worry about someone laughing at you when they have put Windows on life-safety system or any mission critical system.

    LoB

    --
    "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus