Microsoft Confirms Update-Linked BSODs Required Compromised Machines

Trailrunner7 writes "Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit. There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit." That seems a harsh way to find out that your Windows machine has been rooted.

Broaden their test base

[Itninja]

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

Huh? I thought Netcraft confirmed it was dead?

[Anonymous Coward]

Huh? I thought Netcraft confirmed that BSD was dead. Oh waaaiiiitttt... BSOD
Ok nevermind

Re:But better than not finding out at all.

[Anonymous Coward]

The rootkitted library was not a part of the update, just one of the libraries it was using. You should demand that your rootkit vendor stick to published APIs to avoid this in the future.

Re:Broaden their test base

[timholman]

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

Trivially done.

IF OS_VERSION = "Windows XP/Vista/7" then MALWARE_FOUND = TRUE.

Well at least the Norfolk town IT can rest easy

[Parallax48]

Sounds like we found the explanation for the Norfolk issue:
http://news.slashdot.org/story/10/02/17/196230/Time-Bomb-May-Have-Destroyed-800-Norfolk-City-PCs-Data [slashdot.org]

Be Gentle

[e2d2]

That seems a harsh way to find out that your Windows machine has been rooted.

What do you want? Some cuddling before breaking the bad news?

"Sweety.. you got rooted" .. as it goes in the _wrong_ hole.

Re:No Worries

[snowraver1]

Prompt, efficient and convienient! Where can I buy this Root Kit?

Malicious Software Removal Tool

[HTH NE1]

So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?

Re:Don't worry

[Megahard]

If people would keep their machines updated with the latest rootkit and virus patches then this wouldn't happen.

Re:Broaden their test base

[zappepcs]

Just have patches issued by McAfee and Symantec... that will fix the problem, for certain.

The un-harsh way

[hey!]

[A Microsoft representative comes to a System Admin's place of work for a little meeting.]

MR: Thanks for making time to meet with me.

SA: No problem. So what's this all about?

MR: I don't know how to say this, but it seems that you... well you aren't entirely in control of your systems.

SA: You mean you're selling a new management tool?

MR: No, no nothing like that. It's just that there are certain things... Well let's say there are things about your system that you don't know that you really ought to be aware of.

SA: Oh, I see. You mean like undocumented registry settings, or DLLS or stuff like that.

MR: Well, sure. Technically you *could* describe it that way. It's only....

SA: Only what? How would *you* describe it.

MR: *sigh*. OK. Some Chinese hacker working for the Russian mob has been using you as his bitch.

Zero-day

[Anonymous Coward]

This was a zero-day exploit that the virus writers didn't know anything about.

They got the patch out as quickly as they could.

Re:But better than not finding out at all.

[rve]

The rootkitted library was not a part of the update, just one of the libraries it was using. You should demand that your rootkit vendor stick to published APIs to avoid this in the future.

An OS update shouldn't break third party applications such as rootkits. Many people's livelihoods depend on these rootkits. Did you guys at MS even consider how difficult it is to retroactively patch infected torrents once they're out on the net?

Re:But the fix will break Alureon!

[Pyrus.mg]

As mentioned above if you are an Alureon user an update has already been surreptitiously deployed to your pc and you can safely let Microsoft secure your system without losing any Alureon functionality.

Re:Be Gentle

[Anonymous Coward]

Wait, there is a _wrong_ hole???

Re:But better than not finding out at all.

[Pharmboy]

Now, I wonder who the first poster is going to be to demand Microsoft test their patches for compatibility with viruses and malware?

To be fair, Microsoft is year ahead of Linux in this area. Linux isn't compatible with almost every kinds of virus/malware. Wine is helping by providing the APIs needed for some malware, but Linux (iptables in particular) still interferes with the proper operation of some of these programs. Like it or not, if you want to run these malware programs reliably, you should stay away from Linux. At least Microsoft lets you run *most* of these viruses after an update.

Re:Zero-day

[shutdown -p now]

See? Many eyeballs do make bugs shallow!

Re:But better than not finding out at all.

[poena.dare]

Dear Microsoft:

Please continue to turn off user's computers which are compromised. If at all possible, please display a message directing anyone in my zip code that I'm available to fix it for them at competitive prices. I really need the work.

Re:Be Gentle

[Maestro485]

I'm a rootkit, and Windows 7 was my idea!

Re:But better than not finding out at all.

[Garridan]

Oh snap! Your computer crashed because it had malware! Harsh man, that was real harsh. Couldn't the rootkit like, call you up and say "hey man, I'm in ur system, mining ur dataz", rather than just crash? That would be a lot more convenient, and significantly less harsh. I mean, what are they going to do next -- make the computer insult you, too?