Rootkit May Be Behind Windows Blue Screen 323
L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."
No surprise if true (Score:5, Interesting)
Re:Ah, well, that lets Microsoft off the hook then (Score:3, Interesting)
I'm not sure it'd be such a pain. Windows already demands to restart after critical updates anyway. Couldn't it throw a flag to boot from a secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown, then use that to mount the disk as read-only and install updates? You could call it Microsoft SafeUpdate, part of the Trusted Computing Initiative. Heck, make the secondary partition an SSD, give the hardware manufacturers a reason to get behind it.
Sounds like a House-style diagnosis (Score:2, Interesting)
Re:Ah, well, that lets Microsoft off the hook then (Score:3, Interesting)
I'm not sure it'd be such a pain. Windows already demands to restart after critical updates anyway. Couldn't it throw a flag to boot from a secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown, then use that to mount the disk as read-only and install updates? You could call it Microsoft SafeUpdate, part of the Trusted Computing Initiative. Heck, make the secondary partition an SSD, give the hardware manufacturers a reason to get behind it.
RootKit() {
if ( RecoveryPartitionPresent() == 1 ) {
WriteRandomShit(RecoveryPartition);
}
}
Re:No surprise if true (Score:5, Interesting)
Is there currently a set of programs that does this in some automated fashion that will generate a list of discrepencies to parse through?
Re:Sounds like a good thing (Score:4, Interesting)
Uh... maybe they were fixing the loophole the spyware used to dig itself into the system? The fix plugged the hole, the (declared as system critical) spyware driver could not load, poof, BSOD.
Re:That does not matter. (Score:5, Interesting)
Yes, this was from a virus/trojan/worm/whatever. Who cares? It could just as easily have been a custom file for custom hardware.
You don't know how rootkits work, do you?
It may not be possible to detect differences in a compromised file on a rooted system, because the rootkit will respond to requests with the original file's information.
So, for all we know, Microsoft did check the file before replacing it, but the rootkit told the OS it was unmodified.
How could one check for rootkits? (Score:3, Interesting)
The comments here suggest ideally using a bootable CD to scan the drive, but what exactly should one use?
Re:Sounds like a good thing (Score:1, Interesting)
That's not strictly true. There are user-mode rootkits, though these are much less nefarious than their kernel-mode brethren. Still, they have the ability to gain total control over pretty much everything you do in the context of your user account. Granted it doesn't totally hose your machine, but it can still cause damage.
Re:Ways to alleviate this problem... (Score:2, Interesting)
//Microsoft Employee here//
Check out Microsoft Security Essentials if you work with customers computers.
http://www.microsoft.com/Security_Essentials/ [microsoft.com]
It is 100% free and has gotten favorable reviews. It is also very minimalist in design and simple to understand by non-technical people.
http://www.pcmag.com/article2/0,2817,2353447,00.asp [pcmag.com]