Microsoft Refuses To Patch Rootkit-Compromised XP Machines

Barence writes "Microsoft has revealed that its latest round of patches won't install on XP machines if they're infected with a rootkit. In February, a security patch left some XP users complaining of endless reboots and Blue Screens of Death. An investigation followed and Microsoft discovered the problems occurred on machines infected with the Alureon rootkit, which interacted badly with patch KB977165 for the Windows kernel. Now Microsoft is blocking PCs with the rootkit from receiving its new patches. 'This security update includes package-detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems,' Microsoft cautions in the patch notes."

First things first

[BadAnalogyGuy]

If the rootkit is still on your computer, maybe you should look into having it removed.

how shall thee pull out the mote that is in thine eye, when thou thyself beholdest not the beam that is in thine eye? Luke 6:42

Re:First things first

[gzipped_tar]

Theoretically, you're right. Practically, Murphy's Law takes precedence over the Scriptures, and you _will_ find "installing the MS patch" a necessary step in the rootkit removal.

Jesus Christ administrated, but He's still a newbie in system administration ;)

Re:First things first

[Skarecrow77]

no! I need the newest microsoft patch so that there are not any new security holes in my computer! I'll deal with that huge gaping sucking chasm of a security hole that's already there, created by the rootkit, at some later date.

Re:First things first

[sopssa]

You need the newest microsoft patch that - because of the rootkit and the .dll files it has damaged - will BSOD your system? Somehow someone turned this news into an rant and like it's a bad thing to really make sure the windows update should be able to patch things before proceeding.

Re:First things first

[Skarecrow77]

I'm just assuming that my previous post is the standard line of thinking of most of these people. if they can't see a big banner saying "you've been rootkitted. your computer's botnet name is '17004-G81', just so you know" on their desktop, then they don't care I guess.

Re:First things first

[kseise]

Just to be sure that we get this update, I am installing the newest Antivirus 2010 on all of our network machines. This version should pickup the rootkits that Antivirus 2009 left behind. Since I work at the IRS, our systems are absolutely critical to protect this month.

Re:First things first

[maxwell+demon]

Luke 6:42

Admit it: That's the reason why you quoted it! :-)

Re:First things first

[VGPowerlord]

So, here are some tips: find a clean copy of XP SP2

Why not XP SP3?

Re:First things first

[dhavleak]

What about their malicious software removal tool that supposedly scans on updates

The user may not have MSRT on their system. Alureon (the rootkit that caused the last issue) is detectable by every AV software out there and removable by MSRT (and others). We're talking about ultra-computer-phobic/challenged users here.

To me, that makes it obviously WORTHLESS if it can't remove this root-kit what good is it?

If a tool isn't installed on a machine, I don't expect it to be able to do much :)

What motives do they have to not remove this root-kit?

It's not "this rootkit". It could be any rootkit. They are merely checking if the machine has been compromised, before going ahead with applying the patch. Do you want to include an entire rootkit scanner, removal tool, definition files, etc. with every update you send out on windows update? Do you want to delay the sending of patches (to the rest of the world that keeps their machine clean and healthy and cares about these things) while all this is tested?

What kind of brain detects a root-kits presence, but doesn't remove it? And instead wont install the updates? Why cant they hire capable people with Brains who would have this tool remove the root-kit then install the updates ?

You seem to have not applied yourself to the questions you're asking. The answers are plain.

Re:First things first

[kandela]

You have it wrong. They are so worried about viruses *because* they use Windows, not the other way around.

Re:First things first

[smash]

Probably because it asks for the WGA tool and is incompatible with Microsoft Windows TDK edition.

Re:First things first

[FrankieBaby1986]

They are merely checking if the machine has been compromised, before going ahead with applying the patch. Do you want to include an entire rootkit scanner, removal tool, definition files, etc. with every update you send out on windows update?

Well, I'd damn well expect that if they decide not to install the update because of the infection, THEN it should tell me about it and perhaps download and run the appropriate MSRT.

maybe it does, but TFS doesn't say, and I really shouldn't be on /. right now anyway.

Makes sense...

[TheSpoom]

Microsoft isn't really in the business of providing a virus scanner as one of their free updates. Oh wait...

*continues running Ubuntu*

Re:Makes sense...

[mwvdlee]

To be fair, does the MS virusscanner detect and remove the rootkit?

Re:Makes sense...

[HerculesMO]

The malicious software removal tool will take care of it. Their antivirus will not.

They are giving you the tool to get rid of it and then saying you should install your patches afterwards. But they are chastised for not coming up with a all-in-one solution? Jeez.

Re:Makes sense...

[clone53421]

And that’s what will happen. Installation of the patch will fail, if the rootkit is detected. The malicious software removal tool will be pushed out and remove the rootkit. And eventually the patch will be installed again since the installation failed the first time, and if the rootkit is gone the patch should install properly.

Re:Makes sense...

[Rakishi]

And if the rootkit remover bricks some systems you'd be yelling at Microsoft for not making it a separate update so users could prepare for it, right? I doubt it matters what MS does, you'd find a reason to think they're wrong no matter what.

Security updates are security update, malware removal is malware removal. Mixing the two is a horrid idea.

Re:Makes sense...

[dhavleak]

If Microsoft can detect the rootkit

They don't. They're checking hashes on key platform binaries to check if they're compromised -- that's not the same as detecting the nature of the compromise.

they can fix it...BEFORE running the patch.

Detecting = more code. Fixing = more code. Many varieties of rootkits to allow for, not just one. Needs much more testing before sending out patches -- delays sending updates to the rest of the world that acutally does care, and does maintain their machines in a healthy state. Requires user's approval before making changes to the machine, etc.

It really can't be that hard.

Because you say so? Very well - how about you write the code to detect and fix an Alureon infection in your reply to this post?

Re:Makes sense...

[chaboud]

Man, this so exemplifies the distorted user perspective of the ease of software development. There is a completely workable workflow here: run update twice, but you want Microsoft to code up a little custom fix (possibly requiring a double-restart) that seems like a triviality, right?

Wrong.

It takes a long time to write, debug, test, and deploy even small software changes. When non-coders (or even coders) talk about how easy it would be for someone else to do something, alarm bells go off. Microsoft is doing a completely reasonable thing. I won't say that it's the "right thing," because that would imply that there is only one good course of action. Still, this approach is completely fair, easy to use, and safe.

Re:Makes sense...

I hope that Microsoft will actually display an appropriate error message. I've had issues installing the Indeo disabling patch where it refused to install and didn't display an error message or whatever. At some point I snapped and manually nuked the codec, so I'm good, but really... The guys who write the security updates can't even code up a message box - what's up with that?

Re:Makes sense...

[clone53421]

Well... I really can’t say I have high hopes for that.

I’ve had numerous updates (okay, 4 or 5) on Windows 7 that failed to install, with no explanation whatsoever. It seemed like more than it really was because it attempted to install the same 3 updates again the next time I shut down. And the next time. And the next. And... every time until I finally went into the update history to figure out what the deal was.

(In my case I’ve always been able to go onto the Microsoft website, download the update manually, and install it with no problem... just in case anybody else was having this problem. But as far as error messages go... not helpful at all.)

Re:Makes sense...

[clone53421]

P.S. I actually can count; it was the same 3 updates over and over, plus 1 or 2 other updates have failed similarly since then and I have dealt with them in the same way. So 4 or 5, altogether.

Re:Makes sense...

[0p7imu5_P2im3]

Have you ever tried to code up a message box in Visual C++? It's worse than pulling teeth, especially when your application doesn't need to be interactive otherwise.

Re:Makes sense...

[petermgreen]

mmm, and what's this bloody obsession with error codes. I was having trouble with windows update giving an error recently and the only expanatory information was an error code.

After some time searching online and finding various speculation I eventually found that the code basically translated as "connection problem" and that I should try again later. Why couldn't they have just fucking told me that in the first place?!

Re:Makes sense...

[westlake]

The malicious software removal tool will take care of it. Their antivirus will not.

Both MSRT and Microsoft Security Essentials will detect and remove Alureon A and its kin.

Definition first published October 23. Revised March 10.

That doesn't mean full a repair/recovery of every corrupted file:

The top ten most commonly-targeted driver files are the following:

atapi.sys
iastor.sys
iastorv.sys
idechndr.sys
nvata.sys
nvatabus.sys
nvgts.sys
nvstor.sys
nvstor32.sys
sisraid.sys

Users are advised to boot into a recovery environment and manually replace the file with a clean copy.

Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:

If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary.

If a dial-up connection is sometimes used from the computer, reconfigure the dial-up settings in the rasphone.pbk file as necessary, as Win32/Alureon may set the fields "IpDnsAddress" and "IpDns2Address" in the rasphone.pbk file to the attacker's address. The Microsoft scanner code that automatically removes Win32/Alureon backs up the infected dial-up configuration file to:

%allusersprofile%\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk.bak

Win32/Alureon

Re:Makes sense...

[hduff]

But they are chastised for not coming up with a all-in-one solution? Jeez.

No, they are being chastised for having designed an OS that is so easy to exploit and for failing to correct those deficiencies, preferring to let their users acquire additional software and expend additional time and money that all could have been avoided had they done a better job.

Microsoft's poor security and vulnerability have spawned a significant large industry revolving around exploiting it and fix it.

And the sad part is that sheeple just accept it as part of owning a computer.

Re:Makes sense...

[HerculesMO]

You do know that OS is about 10 years old at this point, right?

You might want to try their new one.

Re:Makes sense...

[TheSpoom]

I think it's part of the culture that has been taught to developers for a while to hide errors from the user, and instead log them for the administrator. Is it wise? Probably not in an OS, and definitely not for common errors like a connection issue (which is really more of an exception).

Re:Makes sense...

[shutdown+-p+now]

Have you ever tried to code up a message box in Visual C++? It's worse than pulling teeth

You must have it really easy when it comes to pulling teeth, given that "coding up a message box" in Visual C++ is exactly one function call.

For the record, it also doesn't matter if your application is interactive or not, so long as it's not a background service - this call will set up its own message pump, so it is completely self-sufficient. It can be a single line by itself inside int main(), and it will still work.

Re:Makes sense...

[0p7imu5_P2im3]

Yeah, exactly one function call, that requires derivation from multiple classes in order to get the first parameter. It took twice as long to add in the MessageBox for my non-interactive program as it did to write the thing without it. I don't doubt Microsoft could do it, but it would require a much larger executable than without such code, and with something like 40% of Windows users still on 56K modem connections, that size comes at a premium.

Re:Makes sense...

[shutdown+-p+now]

Yeah, exactly one function call, that requires derivation from multiple classes in order to get the first parameter.

What "classes"? Win32 API is pure C, it doesn't have classes.

Do you mean "window classes"? Or are you using some object-oriented framework? If the latter, then your objections should really be to the writers of that framework.

In any case, it still doesn't make any sense to me, because the first parameter can be NULL. If your application doesn't have any windows in the first place, that is precisely what you should do. E.g. the following is a valid and complete Win32 application:

#include <windows.h>
int main() {
  MessageBoxA(NULL, "Hello, world!", NULL, MB_OK);
}

Re:Makes sense...

[0p7imu5_P2im3]

This was a couple years ago, but IIRC, I tried putting NULL and it failed miserably. It's possible they have fixed it since.

Re:Makes sense...

[shutdown+-p+now]

This was a couple years ago, but IIRC, I tried putting NULL and it failed miserably. It's possible they have fixed it since.

I've no idea what you were doing and where you were putting it, but the code that I've posted above has worked since that function first appeared (which might be Win 1.0, for all I know - it was already there in Win 3.1, before 32-bit transition), and never stopped working in any Windows version. If it did, it would break thousands of Windows applications.

You keep referring to "non-interactive program", though. I don't know what, precisely, you mean by it, but I have a nagging suspicion that it was a Windows service. If so, then MessageBox wouldn't have worked, because services don't generally have access to UI (since there need not even be any UI to speak of when they run - e.g. before user logs in). The MSDN article even mentions that. In that case, it wouldn't work for you, but then a service/daemon trying to display a UI notification is horribly broken in the first place (who are you showing it to?) - it should use log files for that.

In any case, in the scenario originally being discussed, it is a normal Windows application, so that does not apply.

Re:Makes sense...

[cbiltcliffe]

My Windows XP computer doesn't have err.exe on it.
It also doesn't have Visual Studio.

And net helpmsg doesn't decode any 0x12345678 format errors, which is all I've ever seen anywhere important in Windows.

Next suggestion?

Re:Makes sense...

[cbiltcliffe]

If Microsoft can detect the rootkit

They don't. They're checking hashes on key platform binaries to check if they're compromised -- that's not the same as detecting the nature of the compromise.

This cannot be what they're doing. I cannot believe even Microsoft's marketing department could be this stupid.

Hash checking will not reveal compromised binaries on a rootkit-infected machine. That's the whole point of a rootkit. It makes the operating system lie to you about the contents and existence of files related to the rootkit.

Which means the machine will be infected, hash checks will pass, and the machine will BSOD on reboot.

Time to reinstall it all

[bobs666]

You keep your original software. Time to wipe it and reinstall. Of perhaps boot Linux and get a faster computer.

Re:Time to reinstall it all

[Skarecrow77]

windows and it's virus propensitiy is pretty much the only reason I'm still running linux as my desktop OS at this point. In pure useability, windows 7 wins, much as I hate to say it.

Re:Time to reinstall it all

[Nadaka]

Not for me. I keep win7 for a few videogames that don't run on linux at all.

If I want to watch something from my computer on my 42in HDTV and get sound through the hdmi cable?

In windows 7 I must first turn my TV on and switch it to the apropriate hdmi channel, then reboot my computer or I get no audio.

In ubuntu, it just works.

If I plug an standard formatted SD memory card into my computer?

In windows 7 it won't read the card unless it formats it first, even if it had previously formatted the exact same card card.

In ubuntu it just works.

Windows has only two advantages for me.
It is easier to change my default monitor when using a stretched desktop.
It runs a handful of video games that I like but don't work on ubuntu or even with wine.

Re:Time to reinstall it all

[digitalchinky]

Clearly you don't 'hate to say it' - you are trolling.

Windows 7 works for those who like that kind of thing, me, I require virtual desktops, a window manager that doesn't demand click to focus - has highlight copy - middle mouse paste, and on and on and on. Certainly MS Windows can be tweaked to do all these things, but generally not for free, and almost always not without drawbacks.

So what is it, exactly, that makes Windows 7 better from a usability perspective? I'm curious.

Re:Time to reinstall it all

[Skarecrow77]

Yesterday I reformatted my HD after installing an Nvidia GTX 470. I put win7 on one partition, and ubuntu 10.04 beta2 on the other.

I spent several hours last night fighting with 10.04 because it didn't like that I had a video card released only a week before the OS. I had to download 1 day old drivers from nvidia's site, and install those from command prompt with X shut down... ok that's a bit of a hassle, but whatever. Of course, OS didn't like that, it refused to let me stop the GDM service half the time, finally forced me to do it fully from command line. upon reboot, the x config file was somehow botched, and I had to recreate it a few times before I got it right. this wouldn't have been so bad if the first update manager run didn't immediately break the drivers -again-, forcing me to redownload it and reinstall it -again-. Windows 7? I went to nvidia's site, hit download. hit run. rebooted. I'm golden.

Additionally, apparently despite documentation otherwise, "Auto" is not the default mount option on fstab mounts for cifs/samba shares, and it took me awhile to figure that out, wondering why mount -a would bring in my windows file server shares, but reboots wouldn't. I thought it must be UID or GID codes put in wrong, or credentials or something like that. Finally figured out it was just them changing defaults to the opposite of what they used to be. Windows 7? I clicked "map network drive", put in the network address, hit ok. That's it.

finally, on top of all that, I don't have sound on movie files using AAC streams, despite the fact that I had such functionality with the same program in my year-old copy of the same OS. I've installed both gstreamer0.10-plugins-bad, faac, and faad and still nothing.

I'm hardly about to say that windows 7 is problem free, but linux is quite far from "Just works" for me. I don't -want- to switch back to windows as my "daily driver" OS, but linux isn't exactly making a good case for itself here.

Re:Time to reinstall it all

[dhavleak]

In windows 7 I must first turn my TV on and switch it to the apropriate hdmi channel, then reboot my computer or I get no audio

Right click the speaker icon in the system tray, select the HDMI source, set it as default. Just Works(tm).

If I plug an standard formatted SD memory card into my computer? In windows 7 it won't read the card unless it formats it first, even if it had previously formatted the exact same card card.

Define standard? Doesn't sound right - SD cards Just Work.

Re:Time to reinstall it all

[amliebsch]

Uh...Microsoft doesn't sell computers. Perhaps you meant to blame HP?

Re:Time to reinstall it all

[Nadaka]

absolutely wrong.

The hdmi audio output is not selectable in win 7 because it is "not plugged in" unless the tv is tuned to the hdmi channel during boot up of the machine, even if the cable is never unplugged.

standard as in fat32, strait from a camera or any other computer. And no, they don't work. Because I have to format every time a card is plugged in, I can only remove files from the computer while in windows.

Re:Time to reinstall it all

[Nadaka]

I am running ubuntu 9.10 and quite happy with it. It could be possible that some of your problems are a result of using the beta testing version of ubuntu.

Re:Time to reinstall it all

[david_thornley]

GP's anecdote beats your anecdote, since GP wasn't complaining about issues with software clearly marked "beta".

Re:Time to reinstall it all

[mat128]

Please remember that you tried Ubuntu 10.04 *beta 2*... Comparing a beta version of an OS against a final, second iteration of a major kernel version (vista was 6.0, 7 is 6.1)...
Also, nVidia puts much more testing in it's Windows drivers than the linux ones, reason being their market is much more on windows than linux, but at least they're trying, unlike ATi (or AMD).

Re:Time to reinstall it all

[dhavleak]

absolutely wrong.

Easy there. I'm trying to help you.

The hdmi audio output is not selectable in win 7 because it is "not plugged in" unless the tv is tuned to the hdmi channel during boot up of the machine, even if the cable is never unplugged.

What TV do you have? On all three of my Win7 machines my panasoic plasma will show up when I plug it in. Rinse/repeat/plug/unplug, it will appear/disappear on queue. When it's present (by whatever means you're using), set it as default -- and you should be all set.

standard as in fat32, strait from a camera or any other computer. And no, they don't work. Because I have to format every time a card is plugged in, I can only remove files from the computer while in windows.

Fat32 is not standard for SD cards - exfat is. What camera are you using?

Re:Time to reinstall it all

[general_re]

absolutely wrong.

The hdmi audio output is not selectable in win 7 because it is "not plugged in" unless the tv is tuned to the hdmi channel during boot up of the machine, even if the cable is never unplugged.

You've got crappy drivers, then - I can select HDMI out and set it as the default output whether there's anything plugged in or not. Try newer drivers or a better audio card. Either way, it's clearly not the OS.

Re:Time to reinstall it all

[dhavleak]

Hmm.. on further reading it looks like FAT *is* standard and not exfat. I can only conclude that your camera is set to (or defaults to) some other format. You should look at the formatting options for your camera. It's unlikely that the camera cannot format the SD card in a format that Win7 (or any Windows OS) cannot read. It's unlikely that Win7 would ship without being able to read SD Cards from pretty much any mainstream camera. For both parties (Microsoft and camera manufactureres) this is too mainstream a scenario. There is 100% something quirky in your setup, and the issue should be solvable.

Re:Time to reinstall it all

[Skarecrow77]

I am fully aware that the OS is in beta, but I seriously doubt that they're going to switch the Nvidia GLX version included with the OS within the next 2 weeks, it's damn close to feature lock, if it isn't there already. It's the version included with the OS that's the problem, and removing the included nvidia blob to use one from their website has been a problem at least back to 8.04 (as far back as I cared to check). 2 more weeks isn't going to fix that issue.

To the best of my knowledge, gstreamer0.10 is the same version that's in 9.10 (don't remember which version I used in 9.04). We're not dealing with cutting-edge stuff there either. Perhaps I'm wrong, but I'm pretty sure that the Totem version in 10.04 is only a minor revision over 9.10 as well. I'll be quite happy if an update manager run gets rid of that problem as well, but again I doubt it. more than likely there's still some other package I need to install and I have no idea what it could possibly be.

I don't know what's up with the fstab issue. that one may very well be a bug, but I can't understand how I'm the first person to notice it.

My point was not that "beta os is buggy". my point is "In many (if not most) cases, linux workflows are significantly more difficult, time intensive, and frustrating than similar windows workflowson all but the absolute best case scenarios".

I'm not a fanboy of either operating system. I'm looking for the best fit for me, and both of them have issues I dislike. I'm quite capible of overcoming Linux problems, I just don't see why I should have to spend that much time doing so.

Re:Time to reinstall it all

[Nadaka]

"What TV do you have? On all three of my Win7 machines my panasoic plasma will show up when I plug it in. Rinse/repeat/plug/unplug, it will appear/disappear on queue. When it's present (by whatever means you're using), set it as default -- and you should be all set. "

That does not work. Like I said before. the only way for audio to work (in windows 7, it works just fine in ubuntu 9.10) is if the tv is tuned to the hdmi channel while the computer boots, only then can I select hdmi as the audio output. And if the computer boots without the tv tuned, even though it was previously selected as default, it can not detect and does not work. The kind of TV I have is not relevant because it works perfectly in Ubuntu, Dynex if it matters.

"Fat32 is not standard for SD cards - exfat is. What camera are you using?"

Alright, that right there tells me you don't know what you are talking about. Fat and fat32 are the most common file systems used on sd and sdhc cards, period. ExFat was only really recommended for the SDXC format last year, and that is still a block level device supporting fat32.

Re:Time to reinstall it all

[Nadaka]

If it was not the OS, why does Ubuntu work flawlessly right out of the box?

Re:Time to reinstall it all

[dhavleak]

"Alright, that right there tells me you don't know what you are talking about."
The kind of TV I have is not relevant because it works perfectly in Ubuntu, Dynex if it matters."
I guess you were just spoiling for a fight it looks like. Will have to mark this down as "my anecdote evidence does not match your anecdote". I already acknowledged my error with the file-format before you spewed venom.

Re:Time to reinstall it all

[drsmithy]

So what is it, exactly, that makes Windows 7 better from a usability perspective? I'm curious.

It doesn't have incredibly annoying UI misfeatures like focus-follows-mouse and highlight copy ?

Re:Time to reinstall it all

[aztracker1]

The last version of Ubuntu I tried, was a release version with broken (regression issues) for video drivers on almost 2/3 of the computers out there (intel integrated graphics). 9.04 on my Eee netbook specifically. Yeah, creating a release that will have a total fail when running even Frozen Bubble fullscreen, or playing flash on more than half the desktop computers in existence isn't a problem.

Re:Time to reinstall it all

[Amnenth]

Drivers.

Re:Time to reinstall it all

[Nadaka]

Possible, likely even. But Ubuntu was sufficiently capable of overcoming whatever driver problems there were and windows 7 simply was not.

I have not checked in a month or two, but the latest drivers for my hardware didn't fix the problem in windows 7.

Re:Time to reinstall it all

[yukk]

What most people don't realise at all is that pretty much all the hardware out there that Linux is run on was developed for Windows. That means that before it hits the shelves it's been designed and had drivers written to work with Windows. Linux is lucky if it has a "best effort" driver coded by the hardware manufacturer.
Othewise all these drivers are coded by people supporting Linux and not the hardware.
That's why stuff "just works" in Windows. That's the way it was designed.
That's like saying that you bought two Ford gearboxes and when you put one in your Ford it "Just worked" but when you tried to put the other into your Volkswagon you had too much trouble and therefore VWs suck.
On the other hand you're right and it's unfair to expect your grandmother to get that gearbox into the Volkswagon.

Re:Time to reinstall it all

[yukk]

So what is it, exactly, that makes Windows 7 better from a usability perspective? I'm curious.

It doesn't have incredibly annoying UI misfeatures like focus-follows-mouse and highlight copy ?

I think you have it exactly wrong there. I wish it did have useful features exactly like those two.

Re:Time to reinstall it all

[Skarecrow77]

Look, I WANT linux to be the best, I'm rooting for it to be the best, but considering I work a job where I solve other people's computer problems for 8-9 hours a day, I don't want to come home to spend my evening trying to fix my own because update manager pulled down a new version of wine or video driver or something.

Yes yes, I know, OSX is probably what I'm really looking for, and I'd be happy to try it if there wasn't a 100% markup on the hardware involved.

Re:Time to reinstall it all

[LinuxIsGarbage]

I have not seen a computer that ships without a recovery DVD that won't beg you to burn off recovery DVDs. But again it's an OEM issue, not Microsoft.

I understand why MS is doing this...

[teknopurge]

Provided they[MS] provides doco on how to remove the rootkit, I don't take issue with this. This is similar to MS testing a 3rd-party developers product to make sure it works, when in the marketplace it's the job of the 3rd-party shop. Somehow I doubt the rootkit devs are going to get their kit validated by MS as a certified app......

The right thing to do

[techno-vampire]

If Microsoft has a way of detecting the rootkit, they should make it available separately so that people can test their machines before they try to update them. Of course, this is Microsoft we're talking about, so you know they're not interested in what's right unless it's also profitable.

Re:The right thing to do

[Skarecrow77]

patching 9 year old operating systems that they've "obsoleted" twice now, is "profitable"? really?

Re:The right thing to do

[jedidiah]

It doesn't matter how old XP is.

It only matters how old the machine is that came pre-installed with it.

It's moronic and highly anti-consumer to advocate anything else.

Re:The right thing to do

[TrancePhreak]

If Microsoft has a way of detecting the rootkit, they should make it available separately so that people can test their machines before they try to update them.

They do just this. Malicious Software Removal Tool.

Re:The right thing to do

[techno-vampire]

Ever heard of their Malicious software removal tool?

As a matter of fact, no. I run a Linux only household and as long as Microsoft has 90%+ market share, such things have only a minor academic interest for me.

Re:The right thing to do

[maxwell+demon]

Why would I run a malicious tool? Especially a malicious software removal tool? I'm sure it would remove exactly that software where I can't find the installation media any more! :-)

Re:The right thing to do

[2short]

Ever heard of their Malicious software removal tool?

As a matter of fact, no. I run a Linux only household and as long as Microsoft has 90%+ market share, such things have only a minor academic interest for me.

A "minor academic interest" in such things would imply you are slightly interested in gaining knowledge about them, if not for practical reasons. By complaining that Microsoft is bad for not doing what they actually do ( and what the fine article says they do), it would appear you have more of a "religious (dis)interest" in the facts of the case at hand.

Re:The right thing to do

[Fishchip]

Ahhh, you crazy trend-bucker you. You should use Haiku, it has an even smaller market share!

Re:The right thing to do

[thoughtsatthemoment]

It's more profitable than the user switching to Linux.

Re:The right thing to do

[techno-vampire]

it would appear you have more of a "religious (dis)interest" in the facts of the case at hand.

Actually, no. I have friends who use Windows. I don't try to "convert" them, because if that's what they like or are used to, there's no reason for them to change. It is, however, nice to know that Microsoft actually does make this tool available, and that anybody using XP who wants to avoid this issue has a good, free way of doing it.

Re:The right thing to do

If HP sold a laptop with DOS or BeOS you would expect support?

Re:The right thing to do

[Skuld-Chan]

Have you even heard of Windows MSRT?

Re:The right thing to do

[LinuxIsGarbage]

If Microsoft has a way of detecting the rootkit, they should make it available separately so that people can test their machines before they try to update them. Of course, this is Microsoft we're talking about, so you know they're not interested in what's right unless it's also profitable.

http://www.microsoft.com/security/malwareremove/default.aspx

XP Will keep getting security updates until at least 2014. It was rendered obsolete in early 2007. Try getting OSX Tiger updates. It was dropped like a rock seconds after Leopard came out

Re:The right thing to do

[b4dc0d3r]

I like linux but I run Windows everywhere, and I'm only vaguely aware of this tool. I un-check it every time I do a Windows update, usually with a "Ha, like I'd let you run on my machine" type snark. I wouldn't think it's reasonable to expect a Windows user to be aware of whether it detects rootkits, especially the typical user since auto-updates happen without even registering (or auto-updates are turned off, either way most windows users never even see it). It started out just removing worms and trojans, and I never even expected it to detect rootkits. If I never did Windows Updates manually to filter out genuine advantage and other garbage I'd not even think about it.

I would trust Rootkit Revealer from Sysinternals before I'd trust something Microsoft sends (yes I know they are the same company). I'm not saying there's a problem with it, in fact Windows Defender seems to be very highly recommended and lightweight compared to free antivirus solutions, so I'm sure MSRT does a fine job on a specific set of known maliciousfiles.

I have a religious disinterest in this case, since I'm aware of it and refuse to learn about it. The linux poster who knows nothing about it is simply ignorant (not an insult, simply lacking facts). I would classify "minor academic interest" as picking up new information if it comes along and happens to be meaningful to stick, not actively seeking information. The fine line is whether someone actively avoids learning, or simply allows opportunities to slip by. I actively avoid it, and I both know and admit it, but looks like this poster simply lets it slide.

In fact, most of the Anti-virus vendors are complaining about the unfair monopoly MS has, destroying their business prospects by including Antivirus out of the box. But most of the reporting is on Windows Defender, completely ignoring (or mentioning without much description) the Malicious Software Removal Tool. It's more likely that someone following news for nerds knows about Defender than the MSRT.

You could have simply said RTFA or included this quote:

the company has urged users to download its Malicious Software Removal Tool to clean up their machines and run the patch as soon as possible.

That would have been a much better, and as I illustrated above more accurate, reply than "religious disinterest", unless you meant of the article rather than Microsoft-related stuff.

So now we have the question of whether a linux user would reasonably be aware of Windows Defender, which constitute the other 20 or so redundant replies to this question. I admit that when I come across a linux antivirus article, I've learned that it does not apply to Windows and so I ignore it. I'd expect the same from a linux user on Windows A/V articles. Surely the A/V industry complaints about Microsoft's monopoly abuse have managed to get through? No, the brain at some point cannot stand any more "Microsoft accused of abusing its monopoly" stories and just skips on.

The only reason I'm aware of Windows Defender as a Microsoft user and programmer (.NET, T-SQL, Win32, VBS, broken CSS, and some others and semi-active in the ReactOS community so I'm fully entrenched) is because a recent "Ask Slashdot" asked about free antivirus, and almost across the board Defender was the recommendation. I got tired of AVG's continued bloat and silly issues like only using the C drive for updates (which can cause out of diskspace errors, which is made worse because it doesn't clean up after itself), so I read the article - otherwise I would have ignored it.

Put yourself in someone else's shoes before making a reply, it makes the discussion flow better. I've violated that a few times myself and I cringe when I scroll past those comments in my post history, but I try to do better.

MSRT history of which files are detected in each release so that someone can correct me if one of the originals was a rootkit (Hackdef was added in April, maybe there was one before that):
http://support.microsoft.com/?kbid=890830

Lesser of two evils?

[HockeyPuck]

Let's see what do I want?

A) A working machine that has a rootkit installed.
B) A machine that nolonger works.

Can you expect MSFT to test their patches against machines that have been modified via rootkits? Or should the patches themselves remove the rootkits. You are assuming that MSFT can remove the rootkit in the first place.

Re:Lesser of two evils?

[spidercoz]

C) A working machine that's immune to rootkits and doesn't have an obsolete OS.

hint: always choose C.

Re:Lesser of two evils?

[clone53421]

What is this miraculous machine to which you refer?

Re:Lesser of two evils?

[Rockoon]

I'm sure that you've HURD of it.

..oh..did you want one that actually works and stuff?

Re:Lesser of two evils?

[Dishevel]

Immune is a strong word and obsolete would be in the eye of the beholder, but I kind of like Ubuntu. Updates regularly. Works. Never had a virus. Would have to be an idiot to allow it to get rooted. YMMV.

Re:Lesser of two evils?

[Mordok-DestroyerOfWo]

My NES has proven remarkably efficient at blocking rootkits. I was able to get one loaded as a test, but I had to blow real hard on it first.

Re:Lesser of two evils?

[maxwell+demon]

A sufficiently old car. It's a working machine (assuming it's not broken), it's immune to rootkits (because it has no processor which could run them) and it doesn't have an obsolete OS (it has no OS at all).

Re:Lesser of two evils?

[clone53421]

It most certainly does have an Operating System. In fact if it has disc brakes it even has a Disc Operating System...

Re:Lesser of two evils?

I want you to have (B).

Re:Lesser of two evils?

[IHateEverybody]

Well Microsoft has been pretty aggressive about pushing its Malicious Software Removal Tool onto computers. So if I were Microsoft and my software detects a rootkit that the MSRT can't remove, I think I'd probably put a higher priority on updating the MSRT so that it can remove the rootkit. And then I can start patching my other software bugs.

Re:Lesser of two evils?

[LinuxIsGarbage]

But what if the user declines to run MRT? Should they then just let the update bork the system?

Re:Lesser of two evils?

[spidr_mnky]

Working? I guess "working against you" is technically "working"...

Misuse of phrase

[girlintraining]

What ever happened to backwards compatibility? Why, I remember the day when any virus, worm, or piece of malware, would run no matter what!

Re:Misuse of phrase

[Hurricane78]

But: Application software: Not so much! ^^

Re:Misuse of phrase

[VGPowerlord]

Have you heard of MS still supporting Win 3.1?

Most Win 3.1 non-filesystem related programs will still run on Windows 7 32-bit. Not on 64-bit though.

Re:Misuse of phrase

[hairyfeet]

Actually if you really wanted to run Win3.x programs it is trivial to load DOSBox which will let you run pretty much anything from DOS through Win9X software easily, even on x64. How's THAT for backwards compatibility! That is one of the things I like about Good Old Games, for their older titles they come with a preconfigured DOSBox so it runs like a native app. Nice!

As far as TFA goes, I doubt really seriously MSFT can do much more than block the infected machines from running Windows update. for those saying "pop up a msgbox"? Most of these newer malware infections are hooked so deep you pretty much can't launch squat, including popping up a msgbox, without the program intercepting it and shutting it down. No CMD, no Run command, no Task Manager, nothing. It goes in and screws with all the permissions for anything other than itself so any attempt and bringing up another program results in "You do not have permission to perform this action. Please contact your system administrator".

So I doubt if it is anything like the malware that has been crossing my desk lately MSFT can do anything else. The Malicious Software Removal Tool gets its ass royally kicked by this new malware, especially the new "Fake security tool" crap like ST2010 and AV2010. Pretty much all the users can do is take it to a shop, as MSFT probably can't even pop a msgbox on one of those. they may be able to bring up a web page with a warning, but even that is doubtful as many of the new ones hijack all browser requests as well. Trust me they are really nasty bastards to deal with.

Re:Misuse of phrase

[LinuxIsGarbage]

Your 16 bit apps will still run in XP-mode. If you don't have Pro or ultimate, you can get free IE compatability VHDs You can also use trusty old DOS "ed" in Win7 x64

Re:Misuse of phrase

[VGPowerlord]

I didn't mention XP mode, because most users will probably have Home Premium installed and not have it available.

The free IE compatibility VHDs have a built-in expiration date. I suppose you could change your clock back (remembering to disable the option to set time from the Internet)...

And the issue is?

[dirk]

I really don't have a problem with this. If the system is already rooted, the patch isn't going to actually help anything since their security is already compromised. And with all the bad press MS received last time over something that was not their fault at all, why should they risk it again? If your system has a serious issue like being rooted, then you have to take care of the issue before you can install the patch. Seems logical to me.

Re:And the issue is?

[rickb928]

If this was all caused by some commercial software, say, Adobe Reader gaining a bug that hosed Windows Update, we would be all over Adobe for breaking Windows Update and denying us our precious patches.

So far, very little scorn for the rootkit author(s) or their legion of distributors.

I get alerted to malware of various types, from Javascript exploits to out-and-out rootkits, from several interesting websites I visit frequently. I've been reduced to checking them on my phone, cause so far they haven't taken on an advertiser that delivers Android malware. So far. Even my Ubuntu with Firefox sees attacks.

Place the blame where it belongs; Malware distributors and authors, lazy/incompetent/naive users clicking away on pretty stuff, and of course the Windows security community for the abject failure that is Windows 'security', in name only. Windows Update is doing the right thing - alerting users to the potential for serious system failure and the cause. Plowing along and bricking systems is irresponsible.

Rootkits and the ad servers delivering them should be brought up on criminal charges. Surreptitiously installing software on my machine without my permission should be trespass, and punished accordingly, right up the food chain. Yes, that would mean some day a nice man from the FBI coming into a NAP and cutting off fiber connectors. If you run a red light while drunk, you get the full monty. Go all the way and punish malware by shutting down the ad servers that are delivering it, and you will get action.

Of course, if that fails, then you go to the New York times, for example, and explain why you are shutting down their sites - they chose web ad agencies badly. Tough. Accountability.

Why bother?

[trifish]

Rightfully so. Security patching a rootkit-ed OS is mildly amusing and also a bit redundant. The only way to secure such an OS starts with reformatting the system partition.

Re:Why bother?

[gzipped_tar]

I see your point, but I guess by "redundant" you meant to say "futile", or has my humor filter been rooted?

Re:Why bother?

[SCPRedMage]

Actually, I rooted it last night. I used this access to encrypt your humor-related files, and will give you the encryption keys once you wire $1,000,000.00 USD to my overseas bank account.

Re:Why bother?

[ZiggyM]

Reformatting the hard disk is not enough. The rootkid could hide on some device's firmare or even the graphics card memory. http://www.eweek.com/c/a/Security/Black-Hat-Demonstrations-Shatter-Hardware-Hacking-Myths/

Re:Why bother?

[maxwell+demon]

The only way to secure such an OS starts with reformatting the system partition.

No, it starts with nuking it from orbit. It's the only way to be sure.

Re:Why bother?

[mcgrew]

Security patching a rootkit-ed OS is mildly amusing and also a bit redundant

Car analogy: it's like fixing you door lock and leaving the broken out window unrepaired.

Misleading title

The title is totally misleading. It gives the sense that Microsoft refuses to deliver some patch that fixes the rootkit infection. While in fact Microsoft avoids to deliver the patch to keep the machines in a working (albeit infected) condition.

I bet that the poster is a fanboi that found his opportunity to bash Microsoft... :-P

Re:Misleading title

[SCPRedMage]

Screw that. Deliver the patch, BSOD the idiots, and get them off the net so that they're not a danger to the rest of the world.

Re:Misleading title

[AnotherUsername]

So, if somebody isn't running your pet operating system, or they aren't as technically skilled as you, they automatically deserve everything they get? Your social skills are astounding, to say the least. I bet you get all the ladies.

"You mean to tell me that you don't know how to set up and admin a Cisco network? You don't know C? Get away from me, whore!"

The fact that your comment was modded insightful is discouraging, yet expected, to say the least. How sad.

How about realizing that not everyone is a computer guru, and sometimes people, while doing something 'stupid', may not understand that what they are doing is harmful. Such as clicking on popups for 'security software'. People who are not technically literate may not know not to click on those. They can use the Internet, and use a word processing program, but they don't know the security protocols that come with using computers, because people like you simply harass them and call them idiots because they don't know everything you do.

I hope you understand that the very same people that you make fun of for not being technically literate can probably run circles around you in other areas. How much do you know about vehicles? Farming? Construction? Plumbing? Healthcare? Be sure to be the supreme expert in all areas of life before you start labeling people idiots.

Re:Misleading title

[SCPRedMage]

Nice strawman argument. Too bad you're full of shit. Knowing not to do stupid shit on the net and to run antivirus software is nowhere near knowing Cisco networks or any form of programming at all, but you do an excellent job trying to equate them.

I don't think that everyone needs to be as technically literate as I am, but I DO believe that they have the responsibility for what their machines do. And if they're a part of a bot-net, they're sending out spam, participating in DDoS's, etc.

AND THEY ARE FULLY RESPONSIBLE FOR THAT.

If patching rooted systems causes them to BSOD, do it. It's probably the ONLY way to FORCE the uneducated user to get his system cleaned.

I'll admit that I know nothing of vehicle maintenance, farming, construction, plumbing, OR healthcare. But if I try my hand at any of those, I'm responsible for the outcome. If I try a heart-transplant without knowing what the hell I'm doing, I GO TO JAIL. Yeah, that example is pretty extreme, but it should get my point across.

My point is that yes, these people SHOULD be allowed to use their computers. They SHOULD be allowed to be on the Internet. But they NEED to keep their systems clean, and if they won't take the time to learn, or don't know that they need to, they need a wake-up call. And considering that people have a tendency to stick their heads in the sand and ignore all but the most extreme signs, they need an EXTREME wake-up call. Like, say, their systems suddenly not working, prompting them to either buy a new system (a temporary fix for the root problem), or hire an expert to fix the computer, who will hopefully figure out what actually happened and let them know. Once people understand that they need to not be stupid OR ELSE, they'll learn.

OR ELSE.

Re:Misleading title

[Fishchip]

What, did BSODing someone's machine somehow suddenly cut all their ties to the net for life? They'll find other machines, admittedly with newer OSes, but they'll still be in the same old habits.

Re:Misleading title

[SCPRedMage]

Until the next time this happens. If the systems that they use all eventually go down, either they'll get fed up and stop using the Internet, or they'll try to figure out what's going on.

And even if they don't, a temporary benefit for us is still a benefit...

Re:Misleading title

[aztracker1]

Maybe it should change their default browser to IE, without any plugins/addons/toolbars, and point it to a page to download the malicious software removal tool, and microsoft security essentials, with a warning, your machine is compromised... Hell, I wouldn't mind if more broadband ISPs did this as a blind intercept via DNS for requests coming from a compromised system.

Re:Misleading title

[SCPRedMage]

A good idea, but I wouldn't be surprised if a large number of people ignored said warning.

Personally, I think that if an ISP can POSITIVELY identify a customer with a compromised system, they should isolate them from the rest of the network, and forward all their HTTP requests to a webserver explaining what's going on.

Re:Misleading title

[Skuld-Chan]

I think the idea is to deploy MSRT - let it do its thing, and then the patches will install. That approach seems a bit more sane.

Re:Misleading title

[SCPRedMage]

Except that the kind of user that would stay infected long enough for this to be an issue don't even KNOW about the MSRT, let alone would think that they should use it...

Re:Misleading title

[LinuxIsGarbage]

Even though it's pushed through Windows update?

Re:Misleading title

[aztracker1]

That was actually, kind of what I had meant... Generally an ISP *can* know who is infected simply based on outbound mail traffic, let alone other vectors directly. I agree with the isolation, and as I said would do a DNS interception in order to facilitate direction to an isolated set of pages, with a clear label that it's the ISP's page/site.

Microsoft - Pragmatic solution to hard issue.

[irreverant]

I think microsoft acted responsibly in this situation. They merely mitigated any future issues these patches might have, they didn't want the same thing to happen again. In this case it was prevention not intervention. Unfortunately, there are many ways to get a rootkit installed on a computer; however, most of the time it's usually the user that infected themselves. This is why there are measures that a user can take to prevent or minimize the occurrence. Microsoft did make a note to remove the infection and then install the patch. If they don't know how to remove the infection or don't know they can download if not purchase one of many anti-virus solutions or pay someone to do it, then maybe the user's should rethink their web browsing behaviors.

Re:Microsoft - Pragmatic solution to hard issue.

[Rich0]

I tend to agree. If I were running a megacorp with 30k computers, and it turns out that 1000 of them have a rootkit I'd rather that they didn't just all die at the same time from a random patch.

Of course, I'd be scanning for stuff like this anyway, so I'd be fixing these problems before they got out of hand.

Even so, adding a major outage to a major security problem isn't necessarily an improvement.

Re:Microsoft - Pragmatic solution to hard issue.

[VGPowerlord]

Microsoft also included some measures in newer versions of Windows to mitigate user stupidity... and even one to mitigate programmer stupidity in Internet Explorer.

Not that there aren't still holes in those methods... or the user can just be stupid and click Allow.

Re:The Microsoft way!

[sopssa]

I recall slashdotters complaining that they didn't do CRC check or similar (they do, but the rootkit gave 'real' value and it was worthless).

Now they're doing the right thing and we get news how they refuse to patch the systems which .dll files have been damaged? Welcome to slashdot.

Oddly enough...

[HerculesMO]

Their Malicious Software Removal Tool (sent out on Patch Tuesday) can remove the rootkit.

But I won't stop the Slashdotters here from complaining about it.

Re:Oddly enough...

[maxwell+demon]

Their Malicious Software Removal Tool (sent out on Patch Tuesday) can remove the rootkit.

So the tool to remove it comes in a patch, and patches refuse to install if you are infected?

Re:Oddly enough...

[HerculesMO]

Yes, because they are asking that if you're infected, to remove the problem (using a provided tool) and then try the patches again.

This really isn't rocket science, is it? Why should MS come up with a solution for only a small percentage of users when they provide the tool to fix it themselves?

Re:Oddly enough...

[westlake]

Their Malicious Software Removal Tool (sent out on Patch Tuesday) can remove the rootkit.

MSRT and MSE have been able to detect and remove Alureon.A and its kin since October 23, 2009. Virus:Win32/Alureon.A

Re:Oddly enough...

[LinuxIsGarbage]

No. The patch TO PREVENT IT (not remove it) that will cause BSODs if installed on infected systems will refuse to install if it determines the system may be compromised by that exploit.

The user may opt not to run MRT (it will ask to continue before running). A corporation may deploy the update, but not MRT. One can't assume that MRT was run before the update. I do believe MRT tries to run before updates are installed.

Re:The Important Question

[BadAnalogyGuy]

Code 0xB302392838271

This is why I come to Slashdot. So many computer-literate people...

Summary title in error

[Rockoon]

From the article:

As Microsoft has noted, while the solution prevents users from suffering the misery of Blue Screens of Death, it does leave them unprotected and the company has urged users to download its Malicious Software Removal Tool to clean up their machines and run the patch as soon as possible.

It isnt that they wont patch these systems, its that they wont automatically install the MSRT, which removes the rootkit, as part of the update.

..and to be perfectly honest, who wants the MSRT to be a mandatory component. Things like that are capable of unexpectedly altering the system, something typically frowned upon in enterprise.

Re:Summary title in error

[slimjim8094]

Though to be fair, if you have a rootkit on your corporate machines, the MSRT is the least of your worries.

Re:Summary title in error

[Rockoon]

I still assume that uptime is your biggest worry in enterprise. Compromised security is dealt with in a way that preserves the uptime required to operate the business.

Re:Summary title in error

[Jeian]

Things like that are capable of unexpectedly altering the system, something typically frowned upon in enterprise.

Agreed. Our administrators are perfectly capable of bricking our systems on their own, thank you very much.

Attn infected PC users: Can't have it both ways.

[techvet]

First, you beat up Microsoft because their patch trashed machines that were *already* infected. Then you beat them up because they backed off on applying the patches to avoid trashing the machines. Get thee to SuperAntiSpyware and Anti-Malwarebytes and get your machine cleaned up before you complain.

You can't put it off forever!

[fred+fleenblat]

This just proves that it's a great time for people who have been sticking with XP to take the plunge and upgrade to Windows 2000 Professional.

User Experience FAIL

[_KiTA_]

If they have the ability to detect these things, why in the world doesn't a little popup appear in the systray or security center saying "Your system appears to have a form of Malicious Software installed. Windows Updates are currently disabled. Please see your Network Administrator."

Seriously, the rogue spyware apps do this all the time, why can't Windows itself do it?

Re:User Experience FAIL

[ashridah]

because then the malicious software would just start detecting and suppressing the popup? anything already on the system will break. newly downloaded stuff might be able to overcome existing defences by malicious software, OTOH.
Thus, the game of cat and mouse continues, but at least the cat isn't being completely blind in this scenario.

You can't fix stupid

[rudy_wayne]

"Microsoft discovered the problems occurred on machines infected with the Alureon rootkit"

There are many reasons to hate Microsoft, and their QA failure when it comes to security is certainnly one of them. However, the spread of rootkits, viruses and other malware is primarily caused by user stupidity, something that is not Microsoft's fault. In the early days of personal computers I took the time to learn how things worked. If you're having the problem described in this article then you can wipe your hard drive and re-install Windows. If you don't know how to do this, then maybe it's time you learned. If you're not willing to learn, then do the rest of the world a favor and throw your computer out the nearest window.

Re:You can't fix stupid

[maxwell+demon]

However, the spread of rootkits, viruses and other malware is primarily caused by user stupidity, something that is not Microsoft's fault.

Of course it's Microsoft's fault. If they made the OS so that stupid people were unable to use it, stupid people wouldn't use it and therefore they wouldn't get rootkits on it. :-)

Re:You can't fix stupid

[washort]

However, the spread of rootkits, viruses and other malware is primarily caused by user stupidity

Hell no. Malware on Windows is directly the fault of Microsoft because they could have designed an OS that was immune to these problems but they haven't. Blaming the users helps no one.

Re:You can't fix stupid

[gandhi_2]

By running my users as restricted accounts, disabling autorun, and forcing security patches to be auto-installed and forced reboot, i've avoided any real problem for YEARS.

Is it the car manufacturer's fault you parked your car in sea water and it rusted?

Re:You can't fix stupid

[cybernanga]

In the early days of personal computers I took the time to learn how things worked. If you're having the problem described in this article then you can wipe your hard drive and re-install Windows. If you don't know how to do this, then maybe it's time you learned. If you're not willing to learn, then do the rest of the world a favor and throw your computer out the nearest window.

When I first learnt to drive, I took the time to learn how things worked. When my engine siezed, I removed it, stripped it down, rebuilt and refitted it. If you don't know how to do this, then maybe it's time you learned. If you are not willing to learn, then do the rest of the world a favour and roll your car off the nearest cliff.

Email and internet access have become necessities (some countries have even declared internet access to be a human right) you can't expect everyone to be have that level of knowledge. Personal computers need to be more appliance-like, and the user shouldn't be required to know what's inside or how it works to use it.

Apple appear to be making progress in this regard with the iphone OS, but they keep getting slammed for not being open, and restricting users. Unfortunately this is the trade-off.

N.B. I have several mac's and I like them, however, I also have several windows machines and a couple of machines running ubuntu, I like those too.

Re:You can't fix stupid

[aztracker1]

Name one OS that is inherently secure from stupid users installing malware... There isn't one, iPhone/iPod comes close only because of Apples draconian approval process, and tight controls (also maligned).

Re:You can't fix stupid

[LinuxIsGarbage]

If you're having the problem described in this article then you can wipe your hard drive and re-install Windows. But why compound the stupidity. Make the stupid stop! Install Ubuntu and you will never have to worry about a virus ever again. Over the last decade, I've spent exactly 0 seconds wasting my time worrying about viruses, worms, malware, or any other ilk dreamed up by some kid in his second class of 'introduction to vb on windows'. STOP THE INSANITY!!!

So since you don't have to worry about any nasties on Ubuntu, that means I can just click on that BoA link I got in my email and enter my details right?

Safe computing has to be practiced on any OS!

can't MS come up with a patch to block rooting?

[swschrad]

I mean, they already have the malicious software removal tool, so they could blow the roots away if they wanted to. but what is really needed here is to block the rooting mechanism altogether.

or go back to the saner architecture of nt 3.0/3.1/3.5, where only the kernel and its designated MS helpers ran at level 0 to start with. the world started to go to hell when they allowed the video driver into level 0.

Re:can't MS come up with a patch to block rooting?

[AndGodSed]

Remember. He who play in root, eventually kills tree.

Re:can't MS come up with a patch to block rooting?

[yuhong]

or go back to the saner architecture of nt 3.0/3.1/3.5, where only the kernel and its designated MS helpers ran at level 0 to start with. the world started to go to hell when they allowed the video driver into level 0.

That would have been useless, as the rootkit had nothing to do with the Win32 subsystem. It involved the file system, which has been in kernel mode from the beginning of NT.

Re:can't MS come up with a patch to block rooting?

[The+MAZZTer]

Doesn't the video driver run in user-mode now?

Re:can't MS come up with a patch to block rooting?

[StrategicIrony]

Sure, but not in XP. :-P

But it IS almost 9 years old already.

Sheesh. Seems like a lot of people are pretty critical given the situation...

Re:can't MS come up with a patch to block rooting?

[Skuld-Chan]

How would Windows NT 3's architecture protect a user from rootkits? If the kernel is patchable in *any way* (not just video drivers) you are vulnerable. I can't imagine the hordes of security holes in NT 3.x - this was an OS made at a time when really no-one thought about system security.

classically mindlessly anti-microsoft

[circletimessquare]

microsoft doesn't refuse to patch rootkitted systems, microsoft is UNABLE to patch rootkitted system. NO ONE can patch a rootkitted system, of ANY OS. you need to wipe the system and reinstall

it is ok to be against microsoft, but you have to base your opinion on genuine problems. when you base your opinion on mindless propaganda, you are just another useless partisan in this world: loud, dumb, useless

Re:classically mindlessly anti-microsoft

[digitalchinky]

You didn't think about this before you fired off your little opinion piece did you. It is indeed absolutely possible, though one might not necessarily recommend it. All you need to do is boot from another source - mount your compromised file system and then overwrite anything not having a proper hash. This works fine if you keep a hash list based on an uncompromised reference. Think about a 'tripwire' concept.

In Linux this is trivially simple to do.

Re:Order

[Locke2005]

Couldnt them had included...Had you been knowing English long?

MSE claimed to work

[Bearhouse]

See:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Virus:Win32/Alureon.A

I've have reasonably good experiences with MSE so far with my Windows users. Anybody else want to weigh in here?

Re:MSE claimed to work

[pongo000]

I'm by no means a Microsoft fanboi, but I have nothing but good things to say about MSE: It's free, the definition files are updated regularly, and (best of all) it doesn't slow down my laptop even when I'm running a scan. If you're not running MSE, you owe it to yourself to try it out. I can almost promise you that you'll toss whatever antivirus software you're running now.

MSE, Anti-Malwarebytes, and SpywareBlaster has taken care of everything the big bad world has thrown at my machine.

Re:MSE claimed to work

[Bearhouse]

Fits with my experiences.
I'd add Spybot S&D to that list...
http://www.safer-networking.org/en/index.html

Re:MSE claimed to work

[dotancohen]

Anybody else want to weigh in here?

Sure, I'll weigh in. This is what I get when I go to the MSE website:
"""
Not available in your country or region

You appear to be in a country or region where Microsoft Security Essentials is not available. Thank you for your interest in Microsoft Security Essentials.
"""

It was translated into 26 languages, none of which are one of the two official languages of my country. Note that I did check only from Kubuntu, I don't actually have a Windows machine.

Re:MSE claimed to work

[gandhi_2]

It got better ratings than most of the other AV programs out there.

If they integrated it with AD so it could be centrally administered....that would be nice. It wold kill Sophos.

Re:MSE claimed to work

[LinuxIsGarbage]

MSE is targeted for home users. Microsoft wants corporate users to use "Forefront"

Re:Order

[VGPowerlord]

Chances are, if it's a rootkit, it's already overwritten the "known good" versions of those files Windows keeps around.

Plus, they can't guarantee that other files won't be modified by different versions of the same rootkit.

Other than that, Microsoft already pushes a new version of the Malicious Software Removal Tool through Windows Update every month.

Sensationalism drives page views

[Nimey]

and hence advertising revenue.

And rightly so.

[khasim]

But they are chastised for not coming up with a all-in-one solution?

Yes. Because when patching, you want the process to be as simple as possible for the END USER.

The more steps the end user has to follow, the more likely that the end user will make a mistake somewhere.

If it can be done in one step at the end user's level, then it should be done in one step at the end user's level. No delays.

Re:And rightly so.

[StrategicIrony]

I'm sorry, but I'd be royally pissed of MS was trying to remove third party software from a machine without asking me.

Malware or not.

It's not the right place. A very appropriate solution would be to prompt the user

"A root kit has been detected, please visit the following website for more information and a link to a tool to attempt to fix the issue. This update will not be installed until the issue has been resolved."

If I saw that message, I would be shocked and amazed at the appropriate response demonstrated. If that happened, I would say MS went above and beyond to accommodate the customer and the security best practice.

Re:And rightly so.

[poena.dare]

And anything more complicated users should PAY ME TO FIX IT! Hurray!

Re:And rightly so.

[LinuxIsGarbage]

A very appropriate solution would be to prompt the user

"A root kit has been detected, please visit the following website for more information and a link to a tool to attempt to fix the issue. This update will not be installed until the issue has been resolved."

If I saw that message, I would be shocked and amazed at the appropriate response demonstrated. If that happened, I would say MS went above and beyond to accommodate the customer and the security best practice.

It's scare tactics like that that fake antivirus software uses to get installed. I think the best hope is that MRT gets installed and run during the update cycle.

Um, working for whom?

[Colin+Smith]

A) A working machine that has a rootkit installed.

And is sending all key presses and bank account details to criminals.

 

whoosh!

[chaboud]

That was the sarcasm train, clearly passing you by.

Re:The Microsoft way!

[gzipped_tar]

If the kernel is fucked, nothing works any more. Any results from on-line determination of the damage status of the machine itself should be assumed fake because the malware is in control of all local resources. To accurately determine the status of the computer, it must be taken offline.

Never trust what rooted machines say about themselves...

Customer Satisfaction

[xerio]

I'm strangely ok with this. If they update the computer and the rootkit conflicts with the new patch and makes the computer unusable, they'll just get blasted for breaking people's computers. But if they don't update the computer, then the person is still able to use it. If they're warned that they can't update because they have a rootkit on their system and they do nothing about it, I feel no sympathy for them. At least Microsoft didn't make their system less operational. They should get rid of the rootkit and then update. If Microsoft let people update while knowing that it would make the computers unusable if they had this rootkit. People would still call foul on Microsoft. This way they're at least giving people a warning and chance to fix their problem, not making the problem worse.

Sad

[Voulnet]

Seeing the summary and many of the posts here, it's so sad to see how the internet gave every idiot a podium. It's always going to be catch-22 for Microsoft, even if they donated 40 billion dollars for every open source foundation/cancer research facility in the world. It's sad to see CS graduates, sysadmins and programmers with the mentalities of 4channers. Huh

Re:Sad

[JustNiz]

The reason is, no matter how much Microsoft give to charity (and I don't believe they do anyway, its actually Bill & Melinda Gates Foundation who is the big philanthropist ) Cancer Research is not Microsoft's primary activity. Software is.

Microsoft only care about big corporates interests like the RIAA and MPAA. They absolutely don't care about their own home or small business customers interests. Furthermore they do the bare minimum, their products suck, they strangle innovation, they hold the whole industry back just so they can make more money at any cost. They've made that VERY clear MANY times. Give me one reason why I a non-corp customer and a software developer shouldn't criticise Microsoft for failing to care about my interests or the interests of the industry I work in.

Re:The Important Question

[The+Archon+V2.0]

So, does this detection result in a message like "Windows Update had an error. Code 0xB302392838271" or "YOU'VE BEEN HACKED!!! GET YOUR COMPUTER FIXED!!!!"?

Oh, like those lovely programs XP Antivirus and "Security Tool" do! Yes, I think that trying to scare and confuse the user into an irrational course of action is the way to go.

Re:Attn infected PC users: Can't have it both ways

[jedidiah]

Microsoft let the crap get on the machine in the first place.

They're ultimately responsible any way you try to spin this situation.

I will say that again s-l-o-w-l-y: It's Microsoft's OS. They are responsible for it. You even paid money for it.

Re:The Microsoft way!

[HeronBlademaster]

Shouldn't it just determine if the DLL was damaged and replace it with the correct, working patched version if it is? Sorry, but automatically throwing their hands up and saying "you're fucked" is the Microsoft shortcut for not being able to fix their own security problems.

Isn't that what they did last time, and it caused bluescreens?

Do you want every single patch, no matter how small, to try to detect rootkits and, if a rootkit is detected, replace every DLL in the system with known clean copies? That's absurd.

The problem wasn't that the DLL the patch installed caused bluescreens, it's that DLLs the patch didn't touch - because it wasn't patching them - were now incompatible with the clean (patched) DLL (because they were part of the rootkit).

What do you propose Microsoft do about it? Patch the DLLs anyway, knowing it will cause bluescreens? Provide the entire slew of kernel DLLs for download via Windows Update, and install all of them every time there's a kernel patch?

I don't mind what MS is doing at all - they're doing their best to make sure that their users won't get bluescreens, even if they're rooted.

"Updates regularly"

[ClosedSource]

More like Obsoletes regularly. Wait a year to update and you can be SOL.

Re:"Updates regularly"

[mat128]

Then stay on the LTS releases and have 3 years of support (5 on the server edition) so you don't have to upgrade as often!

Re:"Updates regularly"

[Dishevel]

I am guessing that you just hate Linux. Updates are frequent. It is well supported. You may not like it but that dose not make my suggestion any less valid. You sir may "Have a nice day." Move along now.

Re:"Updates regularly"

[ClosedSource]

What suggestion?

Re:"Updates regularly"

[LinuxIsGarbage]

But then you end up stuck with ancient versions of Firefox, Open office, etc. Indeed most new software still works on XP, and many on 2000.

Re:"Updates regularly"

[mat128]

They keep patching them for security updates, if you don't necessarily need the latest and newest...

Re:"Updates regularly"

[Dishevel]

Ubuntu.

Re:The Microsoft way!

[Rockoon]

You don't know how computers work, do you?

The blue screen crashing that this rootkit caused after the previous update was not due to rootkit modifications to the files that were being patched.

The problems occured because code that was NOT being patched (the rootkit!) was making direct jumps into kernel memory, to offsets that were no longer relevant after the patch.

iphone patch?

[adachan]

If MS won't support a 10 year old system anymore, I don't stand much of a chance getting my first gen root-kitted iPhone patched then.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The Microsoft way!

[lorenlal]

You don't know how software development and pointers work, do you?

To many users, a computer works by doing what they tell it to do, and that's plenty for them to know. "How computers work" is a very broad statement that could mean a number of things that you don't address in the statements following your first one.

It also makes you sound condescending.

Re:The Microsoft way!

[Khyber]

'Never trust what rooted machines say about themselves..."

Funny, that's usually how I spot a rooted machine. There's a fine difference between "I just don't want to work because I'm a piece of shit" and "I don't want to work because I'm controlled by someone other than you."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Attn infected PC users: Can't have it both ways

[sohp]

If they patch system can detect the rootkit and not install, why doesn't it remove it and then install? At least give the user the option of doing it, instead of just leaving the user to deal with yet more work.

Re:The Microsoft way!

[sopssa]

Uh, what are you trying to say?

Once the machine is rooted or has malware on it that has gained admin/root/kernel access, your best bet is to shut it down, take your documents and reinstall the system. You cannot know where it hides, no matter how knowledgeable you think you are. But you can still save your documents and not reveal banking data or passwords and similar.

Re:The Microsoft way!

[Lil'wombat]

So this is a vendor software issue? Those rootkit developers should have a better testing process. I'm not going to go to all of the trouble of rooting 100k servers just to have my botnet BSOD on the next update. I demand a refund

Re:The Microsoft way!

[nigelo]

"I'm a people-person. What the hell is wrong with you people?"

Re:Quick and Dirty

[JustNiz]

>> It never ceases to amaze me how the company that SHOULD produce some of the best code in the world (given revenue and longevity) instead seems to almost invariable produce code based on the "quickest and cheapest" principle.

Thats what happens when accountants get more say than engineers in the important decisions. The big problem is that missed sales can't be counted. The real problem is that most people will still buy Microsoft products no matter how bad they get, and Microsoft know it too.

Re:Hmmmm....

[RiffRaff06078]

Can you imagine if the auto industry adopted the same strategies used by Microsoft:

A: Sell new 2010 automobile

B: Release new 2011 version of same automobile (with LED widgets!)

C: Inform everyone who purchased the 2010 model that parts for their model will no longer be available after 2012.

D: Inform car dealers that they will not be allowed to sell used 2010 models.

E: Inform gas stations that they must use new nozzles at their pumps that only fit the 2011 models.

F: Sit back an wonder why people take cheap shots at your company and begin purchasing motorcycles.

G: File lawsuits against the motorcycle companies for restraint of trade and IP infringement.

I don't rag on Microsoft because they make a substandard product. I rag on Microsoft because they *force* their new products on their customers, and then treat those customers like thieves until proven otherwise. If I don't want to upgrade from Ubuntu 6, I can still download it and use it if I so choose, and I won't be accused of software piracy if I blow a system board and swap the drive into a new system.

Re:Attn infected PC users: Can't have it both ways

[AnotherUsername]

Microsoft let the crap get on the machine in the first place.

They're ultimately responsible any way you try to spin this situation.

I will say that again s-l-o-w-l-y: It's Microsoft's OS. They are responsible for it. You even paid money for it.

I wasn't aware that Microsoft was to blame when a user went against safe operating practices, such as clicking on pop-ups and opening virus-filled emails. I suppose I was wrong.

Re:The Important Question

[maxwell+demon]

Given that only the first hex digit was in the range a-f, the number was very obviously not completely random, and therefore has less than 52 bits of information. 12 digits in the range 0-9 have 39.9 bits of information. Assuming it was not by chance that the first digit was in the range A-F, then this digit also has an entropy of 2.6 bits. The sum of both is 42.5 bits. However, the digit string doesn't seem to be completely random either, so it's not impossible that the extra reduced randomness just removes that half bit, so the total information is actually 42 bits.

Re:The Microsoft way!

[maxwell+demon]

What if it hides in the documents?

Obligatory....

[bmo]

http://technet.microsoft.com/en-us/library/cc512587.aspx

>You can't clean a compromised system by patching it.

>You can't clean a compromised system by removing the back doors.

>You can't clean a compromised system by using some "vulnerability remover."

>You can't clean a compromised system by using a virus scanner.

>You can't clean a compromised system by reinstalling the operating system over the existing installation.

>You can't trust any data copied from a compromised system.

>You can't trust the event logs on a compromised system.

>You may not be able to trust your latest backup.

>>>>>The only way to clean a compromised system is to flatten and rebuild.

Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I

Security Program Manager
Microsoft Corporation

Re:The Microsoft way!

[Yaddoshi]

I agree, I thought the title of this submission was skewed - especially after reading the rest of the article. Microsoft does not appear to be "refusing to patch rootkit infected computers".

A more accurate title would be something along the lines of: Microsoft attempts to prevent inadvertently bricking XP systems with Windows Updates

Bear in mind I'm terrible at coming up with titles. Also bear in mind I'm not a big fan of Windows.

ob XKCD

[petermgreen]

http://xkcd.com/123/

Re:The Microsoft way!

[Bert64]

Well, by refusing to patch an already compromised system they open that system up to getting further malware infections...
If the system breaks at least it's now offline and will cease sending spam or whatever other malicious things its doing.

consider the difference between

[circletimessquare]

theoretically impossible and practically impossible

you wipe the system: you are now guaranteed a clean system and you spent orders of magnitude less time and effort than the scenario you propose (which doesn't guarantee anything)

Re:consider the difference between

[pclminion]

Define "wiping the system." There are BIOS level rootkits out in the wild. Wiping the machine properly may involve re-flashing the BIOS. And who's to say that even some lower-level rootkit doesn't exist (reprogrammed CPU microcode? a virus hiding on a Firewire device?) Honestly, I'd just take the motherboard and dump the damn thing in the trash.

Once you're really rooted, you lose. Don't let it happen in the first place.

And I'm totally with Microsoft on this one. Rootkits are absolutely unpredictable. A Windows system with a rootkit on it can't even be said to be Windows anymore.

Re:The Microsoft way!

[Bert64]

Do they notify the users that they're rootkitted?
If anything, a bluescreen is a good thing since the rootkitted machine is now offline and no longer sending spam or whatever other malicious things it might be doing.

XP support

[Happy+Nuclear+Death]

Meh. I'm just glad they're still patching Windows XP.

responsibilities

[SMOKEING]

It is exactly for the reason that I am not an expert in it that I don't do plumbing nor farming. And, the world will be a safer place if plumbers don't do any heavy IT work either.

There's a clear distinction between (end) users and admins. Apple, for one, tries hard to blur it, but the distinction is there.

Since when cluelessness is not a excuse? The internets ain't your city park where all dogs wear muzzles and a purse accidentally dropped on the ground will be brought to you by the discreet police no later than in five minutes. If anyone in charge of a computer goes carefree to the point that his computer becomes a zombie, this becomes *my* problem, not just theirs.

Mod parent poster emphatically up.

Re:Hmmmm....

[VGPowerlord]

I hate to say it, but it's more like this:

A: Release New OS
B: No One Adopts New OS
C: Release Another New OS
D: Support Expires for Old OS
E: "SOMEONE" Develops a rootkit\virus\malware that targets old OS.
F: Anti-Virus keeps the old OS limping along
G: Anti-Virus vendors keep releasing updates to prevent new viruses\rootkits\etc.
H: Over time thousands, if not millions of Old OS systems get infected by root kits that the large population isn't aware of.
I: Create a new patch that specifically, when coupled with the largely ignored\unnoticed rootkit\virus\malware, makes Old OS unuseable.
J: Choice: switch to Linux or upgrade to New OS.
K: Laugh histerically as at least 50% upgrade to New OS and you bath in $20 bills soaked in Champaign.
L: Profit.

Re:The Microsoft way!

[hairyfeet]

Because as a PC repairman I can tell you that trick won't work? These bugs ain't the nasties of old, where a simple boot into safe mode and a cleaning fixes you right up. No sir, these babies are naaaasty. Multiple hidden processes, auto replacing of files with its own, hidden reg entries, rootkits, all kinds of really nasty shit.

MSFT is doing the right thing in this case. There simply isn't any way to really clean these badly infected machines by remote, and trying to patch them while infected will just leave you with a BSOD'd box. Better to pop up a screen that says "We're sorry, but it seems like your computer may be infected. Please take it to your nearest service center to have it checked" than to try to fix this crap by remote and totally hose the machine.

Not to mention if MSFT disables programs by remote, spyware or not, they'll probably get hit by a wave of lawsuits from spyware vendors claiming their apps are legit. Better to let the user take it to someone who knows what they are doing and let them decide what needs to go.

Re:The Microsoft way!

[dhavleak]

That's good for the world in general but bad for the owner of the machine. You're suggesting MS make the decision to fuck over some individual for the good of many? They don't have that mandate.

Re:The Microsoft way!

[dhavleak]

Well, by refusing to patch an already compromised system they open that system up to getting further malware infections...

They're not 'opening up' the system -- they're just leaving it open. It was already like that when they found it.

If the system breaks at least it's now offline and will cease sending spam or whatever other malicious things its doing.

Good for us. Bad for the owner. MS cannot fuck the owner on our behalf.

How about something for USER-compromised systems?

[damn_registrars]

They need something for systems that have been screwed up by their own users. Perhaps a patch that prevents administrator users from connecting to websites that use bad javascript?

Re:The Microsoft way!

[dan828]

Because patching it kills the system and results in endless blue-screens and reboots. So yeah, it's not an optimal solution, but breaking the system to the point where it's unusable isn't a good idea either.

Brick 'em

[golfbum]

I'm fine with msft bricking them. Might finally get some action. Gb

Re:The Microsoft way!

[jibjibjib]

So now they're actively leaving rootkits online and fucking over the rest of the world for the good of the guy who can't maintain his machine properly? You could argue that they don't have that mandate either.

Re:The Microsoft way!

[cybernanga]

5. 353,000 tons traveling at 650 miles per second creates enormous air resistance - this will heat the reindeer up in the same fashion as spacecrafts re-entering the earth's atmosphere.

Which is why Rudolph has a red nose!

Re:Rooted means always wipe, reinstall.

[0123456]

Once a machine gets owned it's gone. Total wipe, reinstall from good backup. No matter what OS or even WIndows it is.

Joe Sixpack doesn't have a backup.

Also, Joe Sixpack probably don't have XP CDs, so he has to install from the 'recovery partition'; I wonder whether any rootkits are installing themselves into the recovery partition so they'll automatically be reinstalled if someone tries to wipe their system and reinstall from scratch?

Re:The Microsoft way!

[dhavleak]

To do nothing? They need a mandate to not touch a system they don't own?

Re:The Microsoft way!

[ffreeloader]

Hmmm.... MS would be screwing over the machine owner by actually letting them know that their machine has been compromised by having it blue screen? How is that?

It's somehow NOT screwing over the user to let them go on in ignorance doing their banking, tax prep, online investing, online purchasing, etc... from a compromised machine? How do you figure that? You would rather let an attacker know all your personal information, and have your machine used to compromise other systems, than have your machine blue screen? If you would, I say you have some seriously screwed up priorities.

Re:The Microsoft way!

[Skuld-Chan]

Yes they do - it gives a specific error code where if looked up it says "this machine in unable to run Windows Update because it is infected with malware" or something like that.

Re:The Microsoft way!

[smash]

Pretty much this. Once a machine is rooted, sure you may know what the rootkit has done, but who knows what the person with control of the rootkit has done?

Rooted machines need more than a quick patch or av scan - do that so you can secure your data, back it up and then blow it away and start over. Its the only way to be sure.

Re:The Microsoft way!

[smash]

You can scan them, and inspect them relatively easily for corruption. What you can't necessarily scan for with a dumb rootkit remover is modified configuration settings, modified firewall rules, added ipsec tunnels, etc - that weren't done by the rootkit, but by someone with control of it. Sure you could do that manually by going through each and every configuration item on your box, but its a lot quicker and easier to blow it away and start over.

Re:The Microsoft way!

[smash]

Well, the proper solution for a rootkitted box IS to replace every DLL and configuration item on the system once the rootkit is removed. Its called an OS wipe and reinstall.

Re:The Microsoft way!

[dissy]

Why is not patching the system acceptable?

Because it is.

What exactly do you expect patching an already rooted system to accomplish? Those patches won't make it any more secure than it was before the patch. Those patches won't fix any of the security problems they fix on a rooted system.

What would the point be?

Best possible case is nothing at all happens and you are just as rooted and insecure as before applying the patches.

Worse possible case is your system now refuses to boot, or reboots in loops, etc.

Re:The Microsoft way!

[dhavleak]

Microsoft can say "sorry dude -- can't install xyz patch 'cos your system's integrity is suspect". What the user does after than is up to them.

It's somehow NOT screwing over the user to let them go on in ignorance doing their banking, tax prep, online investing, online purchasing, etc... from a compromised machine? How do you figure that?

Don't over-complicate the issue. It's just not MS's call to make.

You would rather let an attacker know all your personal information, and have your machine used to compromise other systems, than have your machine blue screen? If you would, I say you have some seriously screwed up priorities.

???
This is not *my* situation. It's the situation of people who know so little about computers that they don't even know what their situation is. Even for them, MS cannot confer upon itself the power to bluescreen their machines to protect them from themselves. As much as you might wish it, you too do not have the power to give them that mandate. Such is life sometimes. Live with it.

Re:The Microsoft way!

[zeugma-amp]

Good for us. Bad for the owner. MS cannot fuck the owner on our behalf.

Strange. I thought fuck the consumer" was their business model.

See WGA

MSRT

[Torodung]

Stands for one of two things:

Malicious Software Removal Tool

Microsoft Removal Tool

Wonder which works better?

--
Toro

(There's a reason Microsoft named the file MRT.exe)

Re:Hmmmm....

[Kitkoan]

Can you imagine if the auto industry adopted the same strategies used by Microsoft:

A: Sell new 2010 automobile

B: Release new 2011 version of same automobile (with LED widgets!)

C: Inform everyone who purchased the 2010 model that parts for their model will no longer be available after 2012.

D: Inform car dealers that they will not be allowed to sell used 2010 models.

E: Inform gas stations that they must use new nozzles at their pumps that only fit the 2011 models.

F: Sit back an wonder why people take cheap shots at your company and begin purchasing motorcycles.

G: File lawsuits against the motorcycle companies for restraint of trade and IP infringement.

I don't rag on Microsoft because they make a substandard product. I rag on Microsoft because they *force* their new products on their customers, and then treat those customers like thieves until proven otherwise. If I don't want to upgrade from Ubuntu 6, I can still download it and use it if I so choose, and I won't be accused of software piracy if I blow a system board and swap the drive into a new system.

Wow, just wow. I'm not sure where to begin with whats wrong with this post. Lets see, model 2010, 1 year later releases a newer model? Considering WIndows XP was released in August of 2001 and they are only officially stopping support for it on July 13, 2010 completely invalidate that comparison since 2001-2010 isn't 1 year. Vista wasn't even released until 2006, 5 years later... For C. you wrore that the 2010 model that they won't be able to use parts after 2012 again files in the face of everything since Office 2007 (the newest one) runs on Windows XP and was released 6 years later. This doesn't even consider that the new Office 2010 is also going to run on Windows XP... 'Inform dealers not to sell 2010 models'. You were able to buy Windows XP for years after Vista, and for quite some time without paying extra license... ' Inform gas stations they must use new nozzles, ect, again is wrong since Vista and Windows 7 allows backwards compatibilities and newly made software is still made to run on Windows XP (note the Office 2010 again)... If your going to try to make a comparison at least put a pinch of effort into it.

Re:Rooted means always wipe, reinstall.

[smash]

Joe sixpack is a cock who needs his machine to BSOD and become unrecoverable before he learns.

Re:The Microsoft way!

[xQx]

Say someone pisses in your pool...

How do you get the piss out of the pool?

You don't. It's fucked. You drain the pool and start again.

Any server administrator worth their salt knows if someone gets in to root / administrator who is not supposed to be there there is only one course of action: Unplug and rebuild.

You do not try to fix a server that has been compromised in this way, regardless of Operating System. For some reason we get compassionate about home-users who can't afford to fix their computer ... and then we get upset when these computers are used for botnets and spam propagation... WTF?!

I think it's utterly RESPONSIBLE of Microsoft to withdraw support for someone silly enough to want to keep running an operating system that's been rootkitted.

Hell, if it were my network I'd be using the rootkit to permanently disable all network connectivity to avoid any further damage. User be damned.

Re:bargaining

[LinuxIsGarbage]

XP (and IE 6) won't EOL any earlier than 2014. They are just trying to prevent users that complain that their system bricked when they installed an update.

Re:Hmmmm....

[LinuxIsGarbage]

Support for XP SP2 only ends July 13, 2010

Extended support for XP (mode it's in now, essentially just security fixes) for SP3 ends April 8 2014.

Windows 2000 Extended support ends July 13 2010. Christ Almighty they still patch IE 5.01 for Windows2000

Re:Rooted means always wipe, reinstall.

[LinuxIsGarbage]

Joe sixpack also didn't pay attention when his system that shipped without discs begged and pleaded with him for the past 5 years to burn off recovery DVDs.

I hate OEM preinstalled bloatware, I hate that they don't ship discs, but no, you're not screwed if you only have a recovery partiton. You're only screwed if you didn't make the discs it asked you to.

Re:The Microsoft way!

[shentino]

Microsoft isn't responsible for what a rootkit decides to do.

If I were microsoft, I'd update away, and consider malware infections the same way I would unauthorized tampering with system files by the user. Just update the kernel, and be damned with anything that was played with. For much the same reason that opening a device is usually grounds for voiding the warranty, since the manufacturer can't reasonably be required to support end user tinkering.

The notion that vendors should go out of the way to actually SUPPORT malware is absurd, let alone the notion that black hats should be dictating terms to OS creators.

Re:The Microsoft way!

[shentino]

But it's not intentional.

It's more like you take a device into the factory for an upgrade, but unknown to you, someone swiped it, and installed a spy chip inside. When the factory technician opens it up and tries to install the new parts, the spy chip short circuits the whole thing and the device blows up in his face.

Am I right...

[maweki]

Am I right in my assessment, that they first leave your door wide open. And once a burglar entered and set off the burglar-detection, they refuse to install a lock in your door?

Re:The Microsoft way!

[dhavleak]

Strange. I thought rational discourse was more important than dogma.

Re:The Microsoft way!

[rdnetto]

Say someone pisses in your pool...

How do you get the piss out of the pool?

Maxwell's demon

Re:The Microsoft way!

[dhavleak]

Microsoft isn't responsible for what a rootkit decides to do.

What kind of crazy logic is this? Their code is downloading the patch and applying it. At this point the ball is in their (MS's) court about how to proceed. It's not the rootkit 'deciding' stuff at this point.

If I were microsoft, I'd update away, and consider malware infections the same way I would unauthorized tampering with system files by the user.

They don't get to make that call. If you were actually in MS's position, you would actually make the same call as them. On a random forum on the internet it's easy to make bold claims about what you would do.

Just update the kernel, and be damned with anything that was played with.

Again - this is a completely cavalier attitude -- and if you were actually in the position to make the call, not only would you not have the stones, you would also pause to think about it for a second and also realize that you don't have the right to do that.

For much the same reason that opening a device is usually grounds for voiding the warranty, since the manufacturer can't reasonably be required to support end user tinkering.

So you're saying the manufacturer gets the right to knowingly brick your system because you've voided your warranty?

The notion that vendors should go out of the way to actually SUPPORT malware is absurd, let alone the notion that black hats should be dictating terms to OS creators.

You managed to twist "we won't knowingly BSOD user's systems" into "we support malware"?? Only on slashdot. God knows what you mean by "black hats dictating terms to OS creators" -- nothing in your post made much sense anyway.

Re:Hmmmm....

[RiffRaff06078]

Yeah, okay, the analogy sucked. I was half asleep at my desk when I wrote it. I still stand by the basic argument that Microsoft's tactics of forcing customers to upgrade, combined with their draconian verification protocols, would not be tolerated in other industries.

Re:The Microsoft way!

[shentino]

I'm just saying it seems rather silly to put MS in the position of walking on egg shells around rootkits to prevent a BSOD that they're not even responsible for causing.

Re:The Microsoft way!

[ffreeloader]

So, MS has no duty whatsoever to notify people that they know have compromised machines? Sorry, but that's pure horseshit and symptomatic of everything that's wrong with our society.

The principle behind it is no different than a neighbor watching someone back a truck up to your back door and load up all your furniture, appliances, safes, etc..., drive away with everything you own, and never say a word to you about it or call the cops. Does your neighbor have a moral duty to call both you and the cops? Yes. We all have a moral duty to protect each other.

MS has the same moral duty to those who buy their products when MS discovers their machines are compromised. MS shouldn't be snooping, but if they discover this type of problem during normal operations, like installing updates, then they most certainly have a moral obligation to help those people.

If you can't understand, or disagree with, the above concepts, I certainly wouldn't want you for a neighbor or acquaintance, or be part of the same workplace with you, and most certainly would never call you friend, as you are not trustworthy.

As to you, personally, not having a root kitted computer, well, your comments just show you have no empathy as you can't identify with someone else's problem nor visualize what you would want someone to do for you if you were in the victim's shoes. That pretty much explains your lack of understanding with regard to moral obligations.

Why?

[L1feless]

I couldn't find an answer to this in the article posted but does this patch notify the end user as to why the patch was not installed? After reading it it looked like the patches just simply wouldn't install and it was left to the end user to manually go back and verify that the patches wouldn't install. Rather than an informative message prompting on the screen.

Re:The Microsoft way!

[al0ha]

While I understand your reasoning, please understand the concepts of morality apply only to humans. Microsoft corporation has no moral duty to do anything. Corporations are amoral, they are neither moral nor immoral, and as such they are only obligated to adhere to the rule of law in their pursuit of profit.

It's more like...

[pyrr]

...having someone on the highway who doesn't know about cars and is mechanically incompetent. And as a result of said incompetence the car is utterly unmaintained, so it belches whitish-blue smoke (because both oil and coolant are being burned) and holds-up traffic because it can barely maintain speed. It's going to break-down often because critical problems simply aren't addressed until various failures render the vehicle inoperable, and then it's only patched-up enough to get it limping-along again.

So why aren't all cars which are owned by people who have no mechanical aptitude clunkers of the sort I described above? It's because you don't have to be a master mechanic or have any mechanical aptitude to take your car TO a mechanic for an inspection if you think something might be wrong or to change the oil. You pay the professional to have knowledge and skill in an area you lack those things in. Said mechanic can also answer questions and offer helpful advice to help you get the most life out of your car and keep it running well.

Cars are machines, computers are machines. Is it really too much to ask that people who don't know much about computers take them in for a tech to look at if they start behaving strangely or running slowly? Or that they run and update anti-malware preventative-maintenance products? So, someone gets BSODed by an update. Such failures doesn't make people idiots because they don't know how to avoid or correct malware problems themselves. They are idiots because they not only couldn't do it themselves, but they also didn't bother to hire a professional to help them out.

So nope, no sympathy from me either. BSOD them and get 'em off the 'net, just like a ruined clunker alongside the road. At least with computers, there's no real physical damage, the "clunker" can almost certainly be restored to as-good-as-new functionality with an OS install disc and a couple hours of time.

Re:The Microsoft way!

[dhavleak]

I'm just saying it seems rather silly to put MS in the position of walking on egg shells around rootkits to prevent a BSOD that they're not even responsible for causing.

Nobody is putting them in any position. They're not walking on egg shells. They just know what they can and cannot do, and intensionally BSODing a user's system is fairly high on the list of things they cannot do. However it's spun, they're doing the only thing they can/should do.

Re:The Microsoft way!

[dhavleak]

While I understand your reasoning, please understand the concepts of morality apply only to humans.

Laws exist to project our sense of morality onto corporations. Please lose the condescending tone next time you post.

Microsoft corporation has no moral duty to do anything.

They don't have the authority to make a decision on the user's behalf about how to proceed (in the event of failing a system integrity check). Who said anything about morals?

Corporations are amoral, they are neither moral nor immoral, and as such they are only obligated to adhere to the rule of law in their pursuit of profit.

That rule of law as I said, is us (humans) projecting our morals onto corporations. If MS were to intentionally BSOD a users system, the user could go to court, and the user would win. MS has no other option here. Where did morals come into this??

Re:The Microsoft way!

[dhavleak]

But it's not intentional. It's more like you take a device into the factory for an upgrade, but unknown to you, someone swiped it, and installed a spy chip inside. When the factory technician opens it up and tries to install the new parts, the spy chip short circuits the whole thing and the device blows up in his face.

It is intentional. It was not intentional the last time they pused out updates and got burned by Alureon rootkits. The second time around, if they encounter the same number of BSODs it would be intentional at worst, and negligent at best.

Re:The Microsoft way!

[dhavleak]

I'm a dumbass. I just realized you were replying to the other poster -- not to me. In the correct context, I understand what you were saying.

Re:The Microsoft way!

[Bert64]

Those users are rootkitted, they have by definition already been fucked over.

Re:The Microsoft way!

[dhavleak]

Which doesn't preclude them from getting fucked over some more.

Sweet no rootkit here!

[Junior+J.+Junior+III]

Well the updates applied successfully, so I guess I'm rootkit free.