MS10-015 Restart Issues Are the Result of Rootkit Infection

Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit.

Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit.

There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit.

“After extensive testing, Microsoft has confirmed
that the restart issue is a result of Alureon rootkit infections,” Microsoft’s Jerry Bryant, senior security communications manager lead, said in a statement.

Alureon is a sophisticated malware package that comprises a number of components, including a rootkit, search hijacking functionality and the ability to modify DNS settings. One of the changes it makes when it’s installed is a modification to a specific driver.

“For the most common system configuration (for machines using ATA hard
disk drives) , the ATA miniport driver ‘atapi.sys’ is the file which is
targeted.
 
While the concept of modifying Windows system files
as part of an installation method is not new, it is not a common
approach. The file modification performed by Alureon overwrites the
data in the target driver’s resource section with its own code. The
entry point of the driver is modified to point to this code. By doing
so, the malicious code is executed when the driver is loaded by the
operating system,” Microsoft’s Scott Molenkamp wrote in a blog post on the MS10-015 issues. “As part of the February security updates, an update (MS10-015)
resolving a vulnerability in Windows Kernel was released. This update
included a new operating system kernel. Inspecting the updated kernel
at the same VA, we observe that this address no longer corresponds to
the start of the “ExAllocatePool” API. In
the updated kernel, the VA of “ExAllocatePool” has changed. Therefore,
after applying MS10-015, Alureon will now be attempting to make an
invalid call.”

That results in the BSOD or a system hang. Users affected by this problem can fix it by replacing the infected driver with a new one via the system console.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.

Cybersecurity for your growing business
Cybersecurity for your growing business