MS10-015 Restart Issues Are the Result of Rootkit Infection

Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit.

Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit.

There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit.

“After extensive testing, Microsoft has confirmed
that the restart issue is a result of Alureon rootkit infections,” Microsoft’s Jerry Bryant, senior security communications manager lead, said in a statement.

Alureon is a sophisticated malware package that comprises a number of components, including a rootkit, search hijacking functionality and the ability to modify DNS settings. One of the changes it makes when it’s installed is a modification to a specific driver.

“For the most common system configuration (for machines using ATA hard
disk drives) , the ATA miniport driver ‘atapi.sys’ is the file which is
targeted.
 
While the concept of modifying Windows system files
as part of an installation method is not new, it is not a common
approach. The file modification performed by Alureon overwrites the
data in the target driver’s resource section with its own code. The
entry point of the driver is modified to point to this code. By doing
so, the malicious code is executed when the driver is loaded by the
operating system,” Microsoft’s Scott Molenkamp wrote in a blog post on the MS10-015 issues. “As part of the February security updates, an update (MS10-015)
resolving a vulnerability in Windows Kernel was released. This update
included a new operating system kernel. Inspecting the updated kernel
at the same VA, we observe that this address no longer corresponds to
the start of the “ExAllocatePool” API. In
the updated kernel, the VA of “ExAllocatePool” has changed. Therefore,
after applying MS10-015, Alureon will now be attempting to make an
invalid call.”

That results in the BSOD or a system hang. Users affected by this problem can fix it by replacing the infected driver with a new one via the system console.

Suggested articles

Discussion

  • reallyreally on

    so now that MS has egg on their face again, what will they do about it?  release a modified patch that looks for the infection first or simply continue to bluescreen computers?

     

  • SFdude on

    Agree with the prev. poster, 100%.

    Shouldn't MS (or somebody), provide
    a small, ** easy-to-use ** prog.
    to detect the presence of this particular Rootkit ?
    .

    If result = negative, apply Feb Win patches...100% ok.
    Else, hold off this February update...

    MS Windows Updates...what a mess...many hours lost,
    just making sure you are not "bricking" your PC
    with a Win Update.

     

  • LoOoNaTiC on

    One would have to know how this rootkit was infecting machines. This would also mean that MS would have also known this security exploit existed. I relaize as is often the case with large corporations there is often little colaboration on issues which certain departments see as 'their's'. MS needs to learn this valuable lesson if they are serious about changing their image which is still tarnished by Vista & Windows ME releases. The release first then do dammage control later mantra is one which is just not an option any longer. A great example is Google with Buzz. There are certain features which BUZZ is missing such as a DISABLE option up until yesterday or today. These features being omitted is just out of character for Google which is why I think they can get away with it, just this once. As sad as it is to say people will compare google's poor handling of Buzz to a common occurance with Microsoft.

    On a side note I fully agree with the two posters above. MS needs to release potentially one or both of the following. The first is an easy to use one click removal tool for this rootkit and the second is alter the patch code for MS10-015 and add in a check prior to patch install.

  • Anonymous on

    Yeah, Microsoft should definitely do compatibility testing to make sure viruses work as expected after all of their patches.  How dare they?

  • Anonymous on

    @reallyreally

    @SFdude

    @LoOoNaTiC

    It is no more the responsibility of Microsoft to ensure that user's do not have infections than it is the writers of malicious software's responsibility to ensure that their malware is compatible with future patches.

    At least make an effort not to be an idiot...I know it's the internet and all.

  • Anonymous on

    @Anonymous above me...

    Yea, you beat me to the post.  MS has no responsibility here.  How the F*** would they be able to do compatability testing on viruses, rootkits, etc.?  And why should they have to???  The best MS or anyone can do is do /some/ testing on legal applications... not f'n malware that people are not supposed to have anyways.

    People that bash MS for every little thing are f'n morons and should not be allowed to own PCs.

  • LNSu on

    Why does Microsoft always need "patches" IF they would put out a good product in the FIRST place we wouldn't neede patches. But they NEVER will because the majority go oh its new lets get it even if the new is crap.

    Because users don't demand better and because users buy the product knowing it will need to be fixed Microsoft can Keep using people as a free test market.

  • HalfastII on

    @LNSu,

    As long as i can remember there have been script kiddies and hackers always working the system, They want your information your data or simple to create havoc in your life,

    But you play Microsoft out to be the bad guy.. They are fixing exploits areas of code that malicious people have devised ways to break your system..

     

    While i am a bit tired of the total number of patches each month, it really is a sign of the times rather than Microsoft doing a poor job..

     

     

  • Gibson99 on

    @Halfastil

    While that's all fine and good, the fact remains that the patch in question fixes a SEVENTEEN-YEAR-OLD security hole.  If that's not poor/lazy programming, I don't know what is.

  • Anonymous on

    use linux,no bsod

  • Anonymous on

    It's all well and good to bash how poorly-designed Windows is...Wake me up when Linux is a usable workstation for Windows' target audiences, the random average users off the street.  (As someone with many 'average user' relatives...Linux isn't yet.  It really, really...really isn't.  I waste WAY more time fixing relatives' broken Linux boxes than their broken Windows boxes.)

  • Boo on

    First of all, I'm amazed how easy it is for people to say that Microsoft is a crappy product. The only reason hackers are targeting Microsoft is because it is still the top OS to beat, meaning millions of PCs around the world are using it. If there would come a time that Apple's OS is dethroning Windows would also be the start of more malware related to Mac OS X. Perhaps, by that time, we would also begin to see flaws in Mac OS X, and then hear people say that Mac OS X is a crappy product. Second, do you have any idea how HARD it is to actually detect for rootkits in a system? This is a stealth malware, so it's supposed to be good at hiding. No average user can really tell if they have one or not in their machines. Third, no matter how old the security hole is, bottom line is that only time can tell when they would be unearthed. "Software vulnerability hunting" is still too young compared to how long MS has been out there. If I were you, I'd expect more (old) holes to be exploited and patched soon. I guess that's just how it plays now.
  • Anonymous on

    Just built a new pc 4 days ago, installed Kaspersky first before connecting to net, did updates. All fine, until today, when a Windows Update installed MS10-015. Got the BSOD and had to revert to earlier state. This PC is NOT infected with a rootkit, that is certain. There is no sign of any of the files the rootkit creates - tdlcmd.dll for instance - on this system. This implies to me a bit of 'fudging' on Microsoft's behalf. Many of the BSODs are probably caused by this rootkit, but not all of them.

  • Anonymous on

    How about as part of routine security you have a way od downloading common rookitted drivers so you can overwrite then and keep them as offical versions and not rootkit versions?

  • Anonymous on

    @LNSu

    Why does Microsoft always need patches? Because NO software is perfect. Software from Adobe (flash, PDF reader), Apple (quicktime, OSX, itunes), IBM, Mozilla, Google and countless others require security patches. It's simply stupid to expect a piece of software to NEVER have a security vulnerability. Any software that interfaces with a network/the internet will require security updates.

     

    Go to secunia.com and search for Mac OSX. Look at the hundreds of security vulnerabilities found in it over the last 10 years.

  • Vivek on

    There is a patch for all these problems. Install Linux. Atleast it doesnt crash due to a system update.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.