Rootkit May Be Behind Windows Blue Screen 323
L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."
ATAPI.sys (Score:1, Informative)
I have had to replace atapi.sys after doing offline scans of an infected systems' drives. Usually easy enough to copy it off a work system.
a driver used by Windows to connect hard drives (Score:1, Informative)
Re:mirror please? (Score:3, Informative)
Microsoft Update KB977165 triggering widespread BSOD One of Microsoft's "Patch Tuesday" security fixes is triggering a widespread "Blue Screen of Death" problem. The cause is not the update itself, but an existing infection. So far, reports suggest that this problem affects Windows XP and Windows Vista. Once the update is applied and the system rebooted, Windows will bluescreen at boot. When booted to Safe Mode, the system will freeze. Removing the update from the Windows Recovery Console or using live media will get the system booting again, at least until the update is reapplied. I have found that the root cause is an infection of %System32\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally. This is not the first time that an infection hitting atapi.sys has caused updates to trigger bluescreens. If you are running Windows and have not yet applied this update, make sure you scan your computer thoroughly for infections before applying this update. If you are experiencing this problem, get your computer to a professional that can replace the infected atapi.sys and clean any other malware from your computer. References: http://isc.sans.org/diary.html?storyid=8209 [sans.org] http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1 [microsoft.com] Detailed Repair Instructions Using the Windows XP Recovery Console 1. Boot from your Windows installation CD Insert your Windows installation CD and boot your computer. If your computer is not set to boot from CD first, you may need to reconfigure your BIOS or press a boot menu key (often F12, F8 or Esc). If you are unsure of how to do this, consult your favorite geek. As soon as the boot starts, you should see a message like "Press any key to boot from CD..." - press a key. 2. Start the Recovery Console After the CD loads (it may take a minute), you will be presented with a few choices. One of these options is to start a recovery by pressing "R". Press "R" to launch the Recovery Console. * You may be asked to choose a Windows installation. If so, choose the damaged installation (probably "1). * You may be prompted for the Administrator password. If you do not have one, press "Enter". 3. Identify your CD drive letter You should now be at the command prompt. Enter the following command: map Look for the drive letter for your CD drive. It may look something like this: D: \Device\CdRom0 In this case, your CD drive is "D:". 4. Replace ATAPI.SYS Enter the following, replacing "D:" with your CD drive: cd system32\drivers ren atapi.sys atapi.old expand D:\i386\atapi.sy_ You should see the message "1 file(s) expanded." - this indicates you have succeeded. 5. Reboot and scan for malware Reboot your computer. With a little luck, your computer will now boot normally. Because this problem is caused by malware, you should immediately scan your computer with up-to-date antivirus software. Tags: Malware, Security, Windows This entry was posted on Thursday, February 11th, 2010 at 17:22 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
had one yesterday (Score:2, Informative)
Scanned the drive in another machine and it detected atapi.sys as having a trojan. I restored it from /i386 and it came right up. I never thought it was connectd with the xp problems. Microsoft didn't do a evil thing who would have knew.
Re:mirror please? (Score:3, Informative)
And some other salient responses:
Michael Bristow says:
2010-02-12 at 11:48
I had a machine come across my bench with this issue, first thing Wednesday morning. One of the first things I tried was running SFC form an ERD boot disk. it replaced several files including atapi.sys, but was still would not boot. only way to get the PC back up and running was to remove the patch.
Multiple scans, with no infection detected, and I tried re-installing the patch, only to get right back to Blue Screens.
In short, there is obviously more going on than just a problem with infected atapi.sys files.
Jim Blizzard says:
2010-02-12 at 12:00
Very nice work Patrick,
We have seen this occur on a few machines at the FAA so I wrote a vbscript to loop through an .xls of machines and record the MD5 Checksum. Thought it may come in handy for yourself and some of your readers..
http://home.comcast.net/~jblizz/Atapi_MD5_Checker.zip [comcast.net]
Re:SFC Find It? (Score:3, Informative)
Not if the rootkit responds to the request with the original values for the files it has replaced. That's the the thing about a rootkit - it gets to tell the OS whatever it wants.
VirusTotal (Score:2, Informative)
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529
Re:No surprise if true (Score:5, Informative)
If you compare a file listing run from inside the machine to one run from a bootable CD OS where the rootkit can't load, different files are a dead giveaway that something is being hidden, and a rootkit can't work around this.
There are also lower level APIs one can use inside of an OS that are much harder for a rootkit to patch so such tools can also locate some rootkits without needing to boot from CD. See: RootkitRevealer
Re:SFC Find It? (Score:2, Informative)
Re:Ah, well, that lets Microsoft off the hook then (Score:2, Informative)
The user installed the virus into their system by doing something stupid.
Its like blaming the US Government for letting businesses go over sea when you still shop at Walmart.
Your response is a cop out.
Remove it with ComboFix (Score:5, Informative)
I've seen this Tdss-rootkit on many machines. Usually it infects a disk driver like atapi.sys or iastor.sys. Typically an infected machine will boot in normal mode, but NOT in safe mode (blue screens). If Windows will boot, running ComboFix has removed the rootkit for me every time. The author of ComboFix is a genius.
At rainbow's end: Win32/Alureon.A detected (Score:5, Informative)
After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.
If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.
Microsoft does detect it - and has since last October.
File atapi.sys received on 2010.02.11 21:58:49 (UTC) [virustotal.com]
Virus:Win32/Alureon.A [microsoft.com]
Updated: Dec 07, 2009
Aliases:
Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)
Encyclopedia entry
Updated: Dec 07, 2009 | Published: Dec 02, 2009
Aliases
Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)
Alert Level
Severe
Detection initially created:
Definition: 1.69.77.0
Released: Oct 23, 2009
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s). When the infecting trojan is run, it infects a system driver, usually 'atapi.sys'. It has also been observed to infect 'iastor.sys' but other system drivers may also be targeted. The system driver detected as Virus:Win32/Alureon.A is infected by the addition of code, whose function is to load a part of the Alureon rootkit. The Alureon rootkit is a component that gives Alureon the ability to avoid detection; it is created by the same Alureon trojan that infects the system driver. The rootkit loaded by Virus:Win32/Alureon.A has the ability to avoid behavior blockers, which allows it to perform its malicious routines uninterrupted. It can also hide files and disk sectors.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials... . Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary
Re:No surprise if true (Score:5, Informative)
No, he's suggesting a program that runs first under Windows to make a list of every file on the disk along with a checksum, then runs under Linux to make a list of every file on the disk along with a checksum. If the lists differ there is likely a root-kit hiding itself when running Windows.
ATAPI.SYS Infections (Score:5, Informative)
I run a small computer repair shop, and we first started seeing this ATAPI.SYS virus a few weeks ago. When I would submit it to VirusTotal, it would always come back as clean on every single virus scanning engine - but I could tell it was infected. I even had a computer in here just yesterday which had the infected ATAPI.SYS file, yet it was not detected as such - even when the hard drive was mounted as a secondary drive in another system and scanned with several up-to-date antivirus programs.
The virus itself is actually quite a clever little beast. After infecting the file, it sets the file modification time back to the original date & time, which makes it hard to tell that it's been modified. Also, I've noticed that the byte counts between infected and non-infected versions of the file are almost always identical. But to do that, it appears to be injecting its code into the area normally used to store the file version information. The upshot is, if you check the file properties and there's no file version information (the Version tab under XP or the Details tab under Vista/Win7), there's a good chance the file is infected.
I have not had any computers come in to the shop with the BSOD mentioned in the articles yet, but I'm expecting them at any time...
Re:Ah, well, that lets Microsoft off the hook then (Score:2, Informative)
I've installed Linux on half a dozen laptops in the last year. In every case, the installation auto detected the wireless card and I had absolutely no problem getting connected.
The year before that, I had to work on my mom's Windows laptop. She'd had several wireless cards in it over the years, and all the damn special software each of them had installed left her system a barely functioning wreck. It took me hours to get it sorted.
Anecdotal data, sure, but so is every single case of "Waaa! Linux doesn't have wireless, waaaaaaa!"
Re:Ah, well, that lets Microsoft off the hook then (Score:4, Informative)
Isn't free software great?
Re:Remove it with ComboFix (Score:2, Informative)
Do note that it is simply a self extracting archive containing a batch file and some other tools (and it isn't clear that the tools have been licensed for redistribution).
WinRar and 7-Zip can both extract the file, the main program is 'C.bat'. It contains this entertaining text:
:: It's okay if you want to take a peek at the script but ...... :: please bear in mind that if you have to copy, that means you can't script it on your own. :: Copying means you don't understand enough. Also means you're not ready to make tools. :: Do yourself & everybody else a favor. Don't release anything that you dont fully understand. :: Chances of trashing a machine is high. Bide your time. If you work hard, your time shall come.
I've also seen it where the 'helpers' on malware sites say that they don't want to reveal how (their batch script) works, as it would help the malware writers (you know, the guys writing low level rootkits).
It also seems to use the 'probably won't break anything' approach to testing.
Definitely a buyer beware type of situation (but it has been used to help loads of people...).
Re:Ah, well, that lets Microsoft off the hook then (Score:4, Informative)
You can do it, but it's basically worthless if your system has been infected with a rootkit. The rootkit can (and usually does) show you a perfectly healthy system instead of the reality on the drive. As has been said before, the rootkit probably keeps a copy of the original file somewhere and only "shows" it to you in its original place (where now that rootkit file is located). It doesn't usually affect its operation, since it has already been loaded and unless it needs more data from its file (unlikely), nothing bad happens from the fact that the file that is loaded differs from the file that is shown on the disc.
If you now try to calculate a MD5 from the file on the disc, you will be supplied the original copy (that was replaced by the rootkit) and calculate your MD5 from the healthy file, making it appear a_ok and fine.
Once a system has been rooted you have lost. I hate to use the same words I always get to hear from consultants, but here they fit: You cannot identify some problems from within the system.
Re:Remove it with ComboFix (Score:2, Informative)
Re:How could one check for rootkits? (Score:2, Informative)
Re:No surprise if true (Score:4, Informative)
Off the top of my head, without checking my syntax, do this:
find / -exec md5sum -b {} \; > filelist-win.txt
find / -exec md5sum -b {} \; > filelist-lin.txt
(find scans all the files from / down, running md5sum on each one)
Run each under Windows and Linux, respectively. On Windows you will need 'find' and 'md5sum' for Windows, or Cygwin for a full Linux subsystem.
diff filelist-win.txt filelist-lin.txt
Re:Ah, well, that lets Microsoft off the hook then (Score:3, Informative)
My sentence immediately following your quote:
In my experience at my campus' help desk, the TDSS rootkit hasn't been sophisticated enough to hide from RootkitRevealer, ComboFix, or MalwareBytes.
We generally find it with one of the "XP Antivirus 2010" variants, and when they come together TDSS seems to reinstall the scareware payload. In those cases, it's especially obvious when it's been removed - the "you've been infected" pop-ups go away.
I don't disagree with you, but 90% of the time a 10 minute ComboFix scan removes it. The only way to be sure is diskpart clean all (or dd /dev/zero /dev/hda) from a WinPE or Linux boot disc.
Re:No surprise if true (Score:5, Informative)
Is there currently a set of programs that does this in some automated fashion that will generate a list of discrepencies to parse through?
I believe RootkitRevealer [microsoft.com] does, although it does it by comparing the files as shown through Windows to a raw read of the file table.
Re:No surprise if true (Score:1, Informative)
Well, there's always md5deep [wikipedia.org] and diff.