Microsoft Confirms Update-Linked BSODs Required Compromised Machines 199
Trailrunner7 writes "Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit. There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit." That seems a harsh way to find out that your Windows machine has been rooted.
Don't worry (Score:5, Informative)
The malware has been updated [theinquirer.net] so that it won't cause a crash.
Re:But better than not finding out at all. (Score:5, Informative)
Don't worry, it looks like the malware authors have already rushed out an update for their rootkit
http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html [prevx.com]
Re:But better than not finding out at all. (Score:5, Informative)
Actually, they do. However, Windows Update will apply patches before doing malware removal - I've never quite understood why that was the preferred order.
Last October, Dude (Score:4, Informative)
So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?
Virus:Win32/Alureon.A [microsoft.com] Definition: 1.69.77.0 Released: Oct 23, 2009
Re:Not tech people! (Score:4, Informative)
Root kits are designed to hide their presence from the operating system. They can hook file system calls and return what looks like the proper version of the file to anything trying to read it. Once something is hooked into the machine at a low enough level the only way to detect it would be to boot from non infected start up disk and scan the infected volume.
Re:Better than not knowing that you've been rooted (Score:5, Informative)
it was probably about 6 years ago when a number of goverment offices American Express, and others including CNN had their computers BSODing. CNN even stayed on the air for a few hours just talking about how the computers were all rebooting. The cause of that was that the computers were part of a botnet and an update to the botnet caused BSODs.
In plain language, many government computers and businesses computers have been infected without them knowing it. And as I mentioned, large companies with financial ties like American Express. You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.
Oh, I assure you, they know about it. They're just too incompetent to do anything about it.
I was once at a large bank, and I was warned not to plug my laptop into the bank's network. At first I was thinking "this must be for security reasons, they clearly don't (and shouldn't) trust some random consultant's laptop on their network", but then I was told that it was for my own protection. Apparently the bank network was so lousy with viruses that a laptop without the latest patches would last only minutes before it was rooted. I keep my work laptop patched, so I did plug in. I ran Wireshark for a few minutes, which detected about a dozen hack attempts on my machine. On top of this, many of their servers were running ancient versions of windows, many at RTM patch levels. I suspect they were all infected, but I didn't have a chance to look into it.
It's not just one or two financial institutions, from what I gather, many of the larger ones have infections.
This is what excessive bureaucracy does to IT: the amount of paper work required to approve a patch is so onerous that IT managers simply don't patch servers. The paper work is meant to prevent the minor problem of 'unapproved' patches causing disruptions, but the end result is even worse, which is unpatched machines with rampant infections.
Re:You don't have to. (Score:3, Informative)
Work in the real world much? The network that I'm currently plugged into has 69,000 workstations on it, and 27,000 servers, plus another couple thousand ancillary computers like DVRs and cash registers (yes, they all run Windows). The hospital that I'm going to be working at tomorrow has over 1200 nodes on its network of which at least a hundred are considered non-rebootable life-safety systems (yes, almost all of those are Windows). That brilliant idea might work at your home office, but out here where the rest of us work it would get you laughed out of your job interview.
Re:But better than not finding out at all. (Score:3, Informative)
Microsoft might want to cut Sony's engineers some slack there. And yes, I do know the downside to it: everything, every single application would have to be signed and greenlighted by Microsoft, Ubuntu, Redhat, you name it. Just like Apple and Google do it for their mobile platforms. A pain, sure, but: no pain, no gain.
Re:But better than not finding out at all. (Score:4, Informative)
Re:But better than not finding out at all. (Score:1, Informative)
Actually, they do. However, Windows Update will apply patches before doing malware removal - I've never quite understood why that was the preferred order.
Because removing malware can be risky work. Much better to make sure the machine is patched if something goes wrong with malware removal.