Rootkit May Be Behind Windows Blue Screen 323
L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."
Sounds like a good thing (Score:5, Insightful)
Re: (Score:2, Funny)
That's one way of forcing users to take care of an infection.
Let me try to respin it into an anti-Microsoft jab:
Windows API is such a jumbled mess of spaghetti code that not even low-level processes related to accessing the hard drive are safe from updates!
Re:Sounds like a good thing (Score:4, Interesting)
Uh... maybe they were fixing the loophole the spyware used to dig itself into the system? The fix plugged the hole, the (declared as system critical) spyware driver could not load, poof, BSOD.
Re:Sounds like a good thing (Score:5, Insightful)
That's a strawman argument.
It's natural for security minded folks to "jab" at Microsoft (in a manner similar to how safety advocates "jab" at lead-painted Chinese toys).
On a SANE OS, rootkits can't be installed by regular users who are viewing a banner ad, or plugging in a storage device like a memory stick or USB picture frame.
Re: (Score:3, Insightful)
... unless you run with maximum permissions (root/Administrator). Vulnerabilities in Flashplayer are typically cross-platform; an exploit that works in Windows will work (after modification, but it will work) on Linux too. The difference usually just comes down to the degree of harm possible. Besides, while I don't know how this particular infection spreads, the odds are very good that it's a trojan... such things work quite nicely on *any* system where the user can get full permissions (almost everything e
Re:Sounds like a good thing (Score:5, Insightful)
Can you link to any actual exploits, not just those imagined by Microsoft's marketing department?
Re:Sounds like a good thing (Score:4, Insightful)
Yes, because Linux has no local privilege escalation vulnerabilities, right? This sane OS of yours, does it come with rainbow pooping unicorns too?
In a SANE OS, hackers NEED to escalate privileges to gain administrator privileges for their rogue processes.
In Windows, you ALREADY have administrator privileges! Right from the start!
Re: (Score:3, Insightful)
So I'd call that latest update a critical security fix. Install immediately!
Re: (Score:3, Funny)
Re: (Score:3, Funny)
I sure am glad I have Vista!!!
I understand each of the words.
I can pronounce all the syllables.
Yet this string will not register in my brain...
It's as if this arrangement of characters should not be.
Like some great sacrilege has sprung into being.
Re:I'm in favor of requiring Internet User's Licen (Score:2, Troll)
If you don't even have the strength of conviction to post with your name on it, I think that you should be denied issuance of your proposed Internet license.
And by the the way, "Internet" should be capitalized.
Re: (Score:2)
I have no idea why you get modded Flamebait, maybe because you dared to suggest something that "takes away freedoms".
Bluntly, if anything it might save our freedoms. Because, well, do you think our politicians will not use the rampart spreading infections to spin? "You cannot take care of your computer, therefore we have to limit your ability to install stuff. Only approved applications may run anymore and that way no spyware can infect your machines. And only machines that adhere to this standard may join
Re: (Score:3, Insightful)
Ah, well, that lets Microsoft off the hook then (Score:2, Insightful)
After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.
If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.
Re:Ah, well, that lets Microsoft off the hook then (Score:5, Insightful)
If a system has been rooted, nothing short of booting to another OS from a known clean media, mounting the disk read only, and scanning, is guaranteed to detect a root kit.
That'd make updates a real pain in the arse to install...
Re: (Score:3, Insightful)
Scanning it does not even guarantee the detection of the root kit. I can see tons of useless scans a user could run ;)
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
I'm not sure it'd be such a pain. Windows already demands to restart after critical updates anyway. Couldn't it throw a flag to boot from a secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown, then use that to mount the disk as read-only and install updates? You could call it Microsoft SafeUpdate, part of the Trusted Computing Initiative. Heck, make the secondary partition an SSD, give the hardware manufacturers a reason to get behind it.
Re: (Score:3, Interesting)
I'm not sure it'd be such a pain. Windows already demands to restart after critical updates anyway. Couldn't it throw a flag to boot from a secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown, then use that to mount the disk as read-only and install updates? You could call it Microsoft SafeUpdate, part of the Trusted Computing Initiative. Heck, make the secondary partition an SSD, give the hardware manufacturers a reason to get behind it.
RootKit() {
if ( RecoveryPartitionPresent() == 1 ) {
WriteRandomShit(RecoveryPartition);
}
}
Re: (Score:2)
What exactly would be the point of that? Infections senselessly trashing systems is pretty 1990. If the recovery partition is ever actually needed, that would mean the rootkit is effectively dead already, so why should it care what happens next?
Re: (Score:2)
You could call it Microsoft SafeUpdate
or even Windows File Protection [slashdot.org] and only allow drivers that have been digitally signed [microsoft.com].
Nice idea I suppose, but as they didn't work there's only one solution - DRM on everything in your C drive!!
Re:Ah, well, that lets Microsoft off the hook then (Score:4, Insightful)
You know, it is far from easy to implement a "secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown" on a PC that has been rooted, unless you support this in hardware. And I can already hear the screaming and gnashing of teeth if some people, present company very much included, learned that PCs come with something like that.
I would certainly not be happy running hardware that I knew had something that I and no one I know could get into. And I can get into it, it's not that "trusted", is it?
Re: (Score:2)
Couldn't it throw a flag to boot from a secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown, then use that to mount the disk as read-only and install updates?
I'm pretty sure that if your system's been rooted, that's no protection at all. Besides, rootkits would quickly evolve to account for this process.
Re: (Score:2)
You're assuming your tool can detect the rootkit in any case.
If it can detect it during an offline scan, it can probably detect it during an online scan too. (Of course, the rootkit will have the opportunity to hide itself or destroy your tool.) ComboFix and MalwareBytes are especially good at removing TDSS.
Re: (Score:3, Informative)
My sentence immediately following your quote:
In my experience at my campus' help desk, the TDSS rootkit hasn't been sophisticated enough to hide from RootkitRevealer, ComboFix, or MalwareBytes.
We generally find it with one of the "XP Antivirus 2010" variants, and when they come together TDSS seems to reinstall the scareware payload. In those cases, it's especially obvious when it's been removed - the "you've been infect
Re: (Score:3, Insightful)
A Windows PE disc (meaning any Server 2008/Vista or newer Windows disc) is very nice for this. Shift+F10 will bring a command prompt; bootsect will let you restore an XP or Vista boot sector.
Chkdsk breaks a lot of rootkits - they break the file system and chkdsk removes them.
Another fun trick: Make an image of the disk with ImageX from the Windows AIK. Then immediately restore the image onto your disk. ImageX is file based, and the rootkits do their best to hide, so they're missed when the image is gath
Re:Ah, well, that lets Microsoft off the hook then (Score:4, Insightful)
After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.
Well, actually no. Most rootkits either modify the permissions or patch critical system files that cannot be easily replaced, as this one does. It's designed to be stealthy -- so if you scan it, it will return a byte-for-byte copy of the original, which is kept elsewhere, while the operating system loads the infected one at boot.
Saying Microsoft is responsible for ensuring compatability with 3rd party software is ludicrious. This is like potholes -- while the government has a responsibility to patch the roads up so they remain drivable, cars are nonetheless designed with shocks and drivers are expected to watch for road hazards and avoid them as much as possible as well. It is a joint responsibility. Microsoft is not the sole responsible party here: The user shares the responsibility of ensuring the system has not been compromised.
Re:Ah, well, that lets Microsoft off the hook then (Score:5, Insightful)
And saying Microsoft is responsible for ensuring compatibility with _malicious_ 3rd party software is even sillier.
If your system is screwed up by a rootkit, there is no way to 100% predict what could happen if you try to continue using it (including trying to install patches).
If the BSODs are only happening to rootkitted XP boxes then it's clearly not Microsoft's fault.
If this was a one-time-thing, then yes. (Score:2)
But when taken with Microsoft's entire approach, no.
Microsoft has always chosen "ease of use" over security. And then their licenses are constructed so that a large segment of the machines out there don't even have clean-bootable media to resolve issues like this.
In your pot hole analogy, Microsoft didn't build the road ... and then then pot holes appeared. Microsoft built the road with the holes ... and then even more appeared and they're doing nothing to mitigate the situation and they're still building t
Re:Ah, well, that lets Microsoft off the hook then (Score:4, Insightful)
Isn't one of the things a rootkit does is attempt to prevent detection?
How do you know that they don't try and match checksums, only the rootkit was returning the "correct" data in order to hide its presence? I mean, it is in the system file that handles reading data from hard drives, which sounds like the perfect place to put in code designed to stealth out the rootkit.
Not that I can get to the article ("Error establishing a database connection"), so I have no idea if that's the case, but it seems quite possible to me that if it's a rootkit, it's actively hiding from detection, which would seem to let Microsoft off the hook. Except for however the rootkit infected the machine in the first place.
Re: (Score:2)
Clueless comment. Microsoft was NOT patching atapi.sys in this set of updates. Unless you're asking MSFT to checksum every single file that has one of their patch binaries as a dependency? (Think about that one for a second before your knee jerks.)
Re: (Score:2)
The rootkit was hiding there, but there's nothing that prevent it from using other files which could have been modified (thus breaking hte rootkit compatibility ??)
Re: (Score:2)
How long would it take to checksum every executable and library on a windows machine, anyway? What makes this something that can't take place on a regular or manually initiated basis?
Re:Ah, well, that lets Microsoft off the hook then (Score:4, Informative)
You can do it, but it's basically worthless if your system has been infected with a rootkit. The rootkit can (and usually does) show you a perfectly healthy system instead of the reality on the drive. As has been said before, the rootkit probably keeps a copy of the original file somewhere and only "shows" it to you in its original place (where now that rootkit file is located). It doesn't usually affect its operation, since it has already been loaded and unless it needs more data from its file (unlikely), nothing bad happens from the fact that the file that is loaded differs from the file that is shown on the disc.
If you now try to calculate a MD5 from the file on the disc, you will be supplied the original copy (that was replaced by the rootkit) and calculate your MD5 from the healthy file, making it appear a_ok and fine.
Once a system has been rooted you have lost. I hate to use the same words I always get to hear from consultants, but here they fit: You cannot identify some problems from within the system.
Re: (Score:2)
You seem to be using the same failed logic as other people, that a file modification exists after it has been over-written. No, it actually doesn't. There are no ghostly modified bits that linger around. Clearly this file is doing something it shouldn't, which by definition means that it didnt get replaced in the update.
If you arent a programmer or some shit, dont offer your opinion, because right now its terribly stupid.
Re: (Score:2)
They're more or less the same thing - the spread of malware is unauthorized file copying. The only way to fully prevent malware is to stop users from installing software, since they sometimes install malware.
The idea of not letting people install whatever they want on their own computers may sound ludicrous, but locked-down consoles have largely displaced PC's for gami
Re: (Score:2)
Seems it matters how you tally [phonearena.com] the numbers. Apparently iPhone is the most used smartphone while Blackberry is the most bought smartphone.
That right there says something that is not particularly flattering to RIM.
Re: (Score:2)
At rainbow's end: Win32/Alureon.A detected (Score:5, Informative)
After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.
If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.
Microsoft does detect it - and has since last October.
File atapi.sys received on 2010.02.11 21:58:49 (UTC) [virustotal.com]
Virus:Win32/Alureon.A [microsoft.com]
Updated: Dec 07, 2009
Aliases:
Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)
Encyclopedia entry
Updated: Dec 07, 2009 | Published: Dec 02, 2009
Aliases
Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)
Alert Level
Severe
Detection initially created:
Definition: 1.69.77.0
Released: Oct 23, 2009
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s). When the infecting trojan is run, it infects a system driver, usually 'atapi.sys'. It has also been observed to infect 'iastor.sys' but other system drivers may also be targeted. The system driver detected as Virus:Win32/Alureon.A is infected by the addition of code, whose function is to load a part of the Alureon rootkit. The Alureon rootkit is a component that gives Alureon the ability to avoid detection; it is created by the same Alureon trojan that infects the system driver. The rootkit loaded by Virus:Win32/Alureon.A has the ability to avoid behavior blockers, which allows it to perform its malicious routines uninterrupted. It can also hide files and disk sectors.
Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials... . Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary
Re: (Score:3, Funny)
AC's don't get mod points! ;)
Re: (Score:2)
This is pretty ironic considering the circumstances. Their DRM code is pretty much the standard process and kernel isolation plus hardware support for looking to see if anyone's messed around with critical system files to bypass that.
Re: (Score:2)
On the one hand, I'd agree with the other posters that detecting rootkits once they're installed is incredibly difficult.
On the other hand, that windows is so rootable is a problem. Yay for adding malware tools to window. But the standard operating procedure of adding layer after layer of new code for new functionality is getting pretty creaky. It opens more avenues for rootkits and other problems to break through.
Re:Ah, well, that lets Microsoft off the hook then (Score:5, Insightful)
As much as I hate defending MS, I can't help but doing it here.
A rootkit (and that is one) in a system means that you, being software running on that system, have no chance of detecting it, at least if it has done its homework. For the patcher, those checksums might even have been correct.
It also needn't be manipulated files. Windows, as any OS that has to allow low level drivers, allows you to load non-MS ring0 drivers. Like, say, Linux. It's either that or writing a device driver for every single pesky little controller out there. Do you think MS would do that? Or even do it well?
Now, you don't need drivers for hard drives themselves, but for their controllers. And spyware is quite keen on snuggling up to those controller and "filtering" the calls between them and the OS. Now, those spyware drivers are deemed part of the I/O system (for obvious reasons, they are part of the HD controller drivers as far the OS is concerned). If that driver cannot be loaded because that patch fixes a loophole the spyware used, the OS identifies that as a critical error in the HD controller driver and cannot access the hard drive anymore. BSOD.
The very same would probably happen in Linux, in BSD, in ... whatever Apple's OS is called, I forgot. You have a driver that is deemed critical by the system that fails to load.
If you want to blame anything on MS here, it's probably that this rootkit drivers could be installed in the first place. And I honestly don't know if it's MS to blame or the user. What should MS do if the user clicks "allow" on anything he gets asked? Take away control from the user? I doubt you'd like that.
Re: (Score:3, Insightful)
Of course.
They're the ones who paid for an OS that's about as secure as a colander, after all.
Re: (Score:2, Informative)
The user installed the virus into their system by doing something stupid.
Its like blaming the US Government for letting businesses go over sea when you still shop at Walmart.
Your response is a cop out.
That does not matter. (Score:2, Insightful)
ANY company replacing files on your drive should be checking to make sure that those are the exact files that it wants to replace.
If there's any difference in the files the installer should exit with a nice error message AND LEAVE EVERYTHING THE FUCKING SAME WAY IT FOUND IT.
Yes, this was from a virus/trojan/worm/whatever. Who cares? It could just as easily have been a custom file for custom hardware.
Re: (Score:2, Insightful)
The issue appears to be the result of an infected driver relying on some internal bits of the kernel that were patched. It's actually the author of the software that infected the driver that's causing the problem.
The infected driver was _NOT_ part of the Windows update and the update had no dependency on that driver.
This is not Microsoft's fault.
While I'm all for free speech, I do prefer that the speaker have some soft of expertise on the topic.
Re:That does not matter. (Score:5, Interesting)
Yes, this was from a virus/trojan/worm/whatever. Who cares? It could just as easily have been a custom file for custom hardware.
You don't know how rootkits work, do you?
It may not be possible to detect differences in a compromised file on a rooted system, because the rootkit will respond to requests with the original file's information.
So, for all we know, Microsoft did check the file before replacing it, but the rootkit told the OS it was unmodified.
Re:That does not matter. (Score:4, Insightful)
Checksums, 'nuff said...
Apps: Calc this for me...
rootkit: errrrrr.... ?
Apps: Busted, fscker! *and warns user*.
Re:That does not matter. (Score:4, Insightful)
Won't work. To take your analogy a bit farther...
The thief is the rootkit, you're the kernel, and the patch is the police.
The thief is already in, hiding behind the sofa with a gun pointed at your head. The officer knocks on your door and asks if you're being robbed. The answer is 'no'.
A rootkit can invade the lowest-level of the Virtual File System, so when a patcher running in user space asks for the checksum of the file it's about to patch, it gets a 'clean' result, even if the -real- file on the disk is something entirely different.
There are a lot of misconceptions about what rootkits really are. I encourage anyone to take a few hits of LSD and explain physics to me, or perform surgery on themselves while under the influence, that's about the closest thing I can compare to patching or rootkit detection on a system that's already compromised.
Re: (Score:3, Insightful)
And HOW exactly should they check if the system has been infected by a rootkit that shows the patcher a file that matches the checksum?
Re:Ah, well, that lets Microsoft off the hook then (Score:4, Insightful)
That is BS and you know it.
The user installed the virus into their system by doing something stupid.
Its like blaming the US Government for letting businesses go over sea when you still shop at Walmart.
Your response is a cop out.
Your response is what is commonly known as 'blaming the victim.' Seriously, you can't imagine any other way for malware to get onto a system except user stupidity? I'd call that a failure on your part. You know, Windows fanbois remind me of battered women, explaining to others how they walked into a door or fell down some stairs. No you didn't, you let somebody beat the shit out of you and then covered it up.
Re: (Score:2)
Nevermind, this is
Re: (Score:2, Insightful)
Re: (Score:2, Informative)
I've installed Linux on half a dozen laptops in the last year. In every case, the installation auto detected the wireless card and I had absolutely no problem getting connected.
The year before that, I had to work on my mom's Windows laptop. She'd had several wireless cards in it over the years, and all the damn special software each of them had installed left her system a barely functioning wreck. It took me hours to get it sorted.
Anecdotal data, sure, but so is every single case of "Waaa! Linux doesn't hav
Re: (Score:2)
Re: (Score:2)
So we have these two "extremes" to choose from:
Either some hardware is not supported,
or
your system will get infested with malware and then eat itself the next time it's updated.
Take your pick.
Re:Ah, well, that lets Microsoft off the hook then (Score:5, Insightful)
Over 90% of current infections are due to social engineering (aka "user stupidity"). The rest is usually due to certain third party software from a company with a big A, usually a certain reader for a Pretty Dumb Format or a tool to make webpages flashy.
If it's blaming the victim to say that it's effing stupid to open attachments that are sent by "Lawyer" and titled "last reminder" or run "security patches" their bank sends them because else their account is closed immediately, then yes, I blame the victim. Stupidity is no excuse. And this behaviour is, bluntly, EFFING stupid!
Re: (Score:3, Insightful)
The only data I have on this matter is still under an NDA, so I can as well have none. But you are invited to draw your own sample. Take every infector you can get your hands on and check what way they use to get onto the machine.
And yes, 90% is not 100%. Still it means that the chance to be infected provided you know what you're doing is 1/10th of that if you don't. While this does not immediately translate to 9 out of 10 infected machines being infected because the user sitting in front of it is unable to
Re: (Score:2)
My colander is very secure thank you. I keep it underneath the stove, and it's not connected to the internet in any fashion. In fact, I don't even plug it in.
Re:Ah, well, that lets Microsoft off the hook then (Score:4, Informative)
Isn't free software great?
Re: (Score:3, Insightful)
Do you?
SFC Find It? (Score:3, Insightful)
Re: (Score:3, Informative)
Not if the rootkit responds to the request with the original values for the files it has replaced. That's the the thing about a rootkit - it gets to tell the OS whatever it wants.
Re: (Score:2)
Re: (Score:2, Informative)
Re: (Score:2)
Is that how SFC works? It calls a method in the DLL? I would think it would do an MD5 (or similar -- possibly stronger -- hash) on the file, and compare the hash and the size to the known values. The only way around that would be to alter what SFC has for the "original" values...
The obvious other way around it would be to intercept file read/write calls (which trojan can do if it lives on kernel level, injected into some driver), and provide the original file contents to anyone who tries to read the file.
But then wouldn't SFC launched from a bootable CD combat that issue?
It would, but can you launch SFC from within one OS install on files belonging to another OS install?
Re: (Score:2)
My comment applied only to running it in-place. Booting from CD is, AFAIK, the only way to see/get rid of rootkits. (My apologies if that's the way SFC is normally run)
Good (Score:2)
The infected PC is unusable or it will be restored to a clean state. Either way it won't be spamming or participating DDOS attacks, etc.
No surprise if true (Score:5, Interesting)
Re: (Score:3)
Re: (Score:2)
It was named al0ha.trojan.jpg.exe and it was also sent to thousands of unsuspecting hotmail users at the same time as it was sent to threatexpert and virustotal ( they only got it as a secondary action) .
Re:No surprise if true (Score:5, Informative)
If you compare a file listing run from inside the machine to one run from a bootable CD OS where the rootkit can't load, different files are a dead giveaway that something is being hidden, and a rootkit can't work around this.
There are also lower level APIs one can use inside of an OS that are much harder for a rootkit to patch so such tools can also locate some rootkits without needing to boot from CD. See: RootkitRevealer
Re:No surprise if true (Score:5, Informative)
No, he's suggesting a program that runs first under Windows to make a list of every file on the disk along with a checksum, then runs under Linux to make a list of every file on the disk along with a checksum. If the lists differ there is likely a root-kit hiding itself when running Windows.
Re:No surprise if true (Score:5, Interesting)
Is there currently a set of programs that does this in some automated fashion that will generate a list of discrepencies to parse through?
Re:No surprise if true (Score:4, Informative)
Off the top of my head, without checking my syntax, do this:
find / -exec md5sum -b {} \; > filelist-win.txt
find / -exec md5sum -b {} \; > filelist-lin.txt
(find scans all the files from / down, running md5sum on each one)
Run each under Windows and Linux, respectively. On Windows you will need 'find' and 'md5sum' for Windows, or Cygwin for a full Linux subsystem.
diff filelist-win.txt filelist-lin.txt
Re:No surprise if true (Score:5, Informative)
Is there currently a set of programs that does this in some automated fashion that will generate a list of discrepencies to parse through?
I believe RootkitRevealer [microsoft.com] does, although it does it by comparing the files as shown through Windows to a raw read of the file table.
Re: (Score:2)
I had a machine with a rootkit on it (my parents laptop) file called srosa.sys - the only clue there was something wrong with the PC at all was it wouldn't run autocheck.exe and any file called chkdsk.exe was automatically deleted.
It also prevented the installation of any virus scan package - literally deleting and modifying files as they were installed.
Its like that hacker defender rootkit a lot of admins ran into a few years back (but didn't know about it) they were calling support about the information s
Re: (Score:2)
If you run your XP box as root and allow items to be installed by clicking on an attachment or going to a website that runs an executable, no virus checker is going to stop you from hosing your machine. Vista's "cancel or allow" mechanism made fame by its annoying implementation (having to "cancel or allow" multiple times through a single process) but it was the best move Microsoft ever made towards their system's security. MacOS X and Linux have had "cancel or allow" mechanisms pretty much since their in
That must be why... (Score:2)
...my XP box didn't crash on reboot after applying these latest updates.
had one yesterday (Score:2, Informative)
Scanned the drive in another machine and it detected atapi.sys as having a trojan. I restored it from /i386 and it came right up. I never thought it was connectd with the xp problems. Microsoft didn't do a evil thing who would have knew.
Re: (Score:2)
Scanned the drive in another machine and it detected atapi.sys as having a trojan. I restored it from /i386 and it came right up. I never thought it was connectd with the xp problems. Microsoft didn't do a evil thing who would have knew.
You mean Microsoft didn't have evil intentions in this area of the patch. Bad idea to make a blanket statement based on one area of patch.
Inadequate regression testing (Score:5, Funny)
Next time you might consider doing some backwards compatibility testing with popular rootkits, yes? Just a free tip Microsoft!
Re:Inadequate regression testing (Score:5, Funny)
Next time you might consider doing some backwards compatibility testing with popular rootkits, yes? Just a free tip Microsoft!
But if we do, the makers of less-popular rootkits could sue us in EU for monopolistic preferential treatment! ~
VirusTotal (Score:2, Informative)
http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529
Sounds like a House-style diagnosis (Score:2, Interesting)
"It's not a bug, it's a feature" (Score:3, Funny)
"Yes, our security update crashed your computer. We hope you enjoyed our anti-rootkit feature."
Remove it with ComboFix (Score:5, Informative)
I've seen this Tdss-rootkit on many machines. Usually it infects a disk driver like atapi.sys or iastor.sys. Typically an infected machine will boot in normal mode, but NOT in safe mode (blue screens). If Windows will boot, running ComboFix has removed the rootkit for me every time. The author of ComboFix is a genius.
Re: (Score:2)
Theres a better patch out
http://www.microsoft.com/windows/windows-7/ [microsoft.com]
ATAPI.SYS Infections (Score:5, Informative)
I run a small computer repair shop, and we first started seeing this ATAPI.SYS virus a few weeks ago. When I would submit it to VirusTotal, it would always come back as clean on every single virus scanning engine - but I could tell it was infected. I even had a computer in here just yesterday which had the infected ATAPI.SYS file, yet it was not detected as such - even when the hard drive was mounted as a secondary drive in another system and scanned with several up-to-date antivirus programs.
The virus itself is actually quite a clever little beast. After infecting the file, it sets the file modification time back to the original date & time, which makes it hard to tell that it's been modified. Also, I've noticed that the byte counts between infected and non-infected versions of the file are almost always identical. But to do that, it appears to be injecting its code into the area normally used to store the file version information. The upshot is, if you check the file properties and there's no file version information (the Version tab under XP or the Details tab under Vista/Win7), there's a good chance the file is infected.
I have not had any computers come in to the shop with the BSOD mentioned in the articles yet, but I'm expecting them at any time...
"Rootkit May Be Behind Windows Blue Screen" (Score:5, Funny)
mommy (Score:2)
Mommy, the root kit did it!
How could one check for rootkits? (Score:3, Interesting)
The comments here suggest ideally using a bootable CD to scan the drive, but what exactly should one use?
Re: (Score:3, Informative)
Microsoft Update KB977165 triggering widespread BSOD One of Microsoft's "Patch Tuesday" security fixes is triggering a widespread "Blue Screen of Death" problem. The cause is not the update itself, but an existing infection. So far, reports suggest that this problem affects Windows XP and Windows Vista. Once the update is applied and the system rebooted, Windows will bluescreen at boot. When booted to Safe Mode, the system will freeze. Removing the update from the Windows Recovery Console or using live media will get the system booting again, at least until the update is reapplied. I have found that the root cause is an infection of %System32\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally. This is not the first time that an infection hitting atapi.sys has caused updates to trigger bluescreens. If you are running Windows and have not yet applied this update, make sure you scan your computer thoroughly for infections before applying this update. If you are experiencing this problem, get your computer to a professional that can replace the infected atapi.sys and clean any other malware from your computer. References: http://isc.sans.org/diary.html?storyid=8209 [sans.org] http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1 [microsoft.com] Detailed Repair Instructions Using the Windows XP Recovery Console 1. Boot from your Windows installation CD Insert your Windows installation CD and boot your computer. If your computer is not set to boot from CD first, you may need to reconfigure your BIOS or press a boot menu key (often F12, F8 or Esc). If you are unsure of how to do this, consult your favorite geek. As soon as the boot starts, you should see a message like "Press any key to boot from CD..." - press a key. 2. Start the Recovery Console After the CD loads (it may take a minute), you will be presented with a few choices. One of these options is to start a recovery by pressing "R". Press "R" to launch the Recovery Console. * You may be asked to choose a Windows installation. If so, choose the damaged installation (probably "1). * You may be prompted for the Administrator password. If you do not have one, press "Enter". 3. Identify your CD drive letter You should now be at the command prompt. Enter the following command: map Look for the drive letter for your CD drive. It may look something like this: D: \Device\CdRom0 In this case, your CD drive is "D:". 4. Replace ATAPI.SYS Enter the following, replacing "D:" with your CD drive: cd system32\drivers ren atapi.sys atapi.old expand D:\i386\atapi.sy_ You should see the message "1 file(s) expanded." - this indicates you have succeeded. 5. Reboot and scan for malware Reboot your computer. With a little luck, your computer will now boot normally. Because this problem is caused by malware, you should immediately scan your computer with up-to-date antivirus software. Tags: Malware, Security, Windows This entry was posted on Thursday, February 11th, 2010 at 17:22 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.
Re: (Score:3, Informative)
And some other salient responses:
Michael Bristow says:
2010-02-12 at 11:48
I had a machine come across my bench with this issue, first thing Wednesday morning. One of the first things I tried was running SFC form an ERD boot disk. it replaced several files including atapi.sys, but was still would not boot. only way to get the PC back up and running was to remove the patch.
Multiple scans, with no infection detected, and I tried re-installing the patch, only to get right back to Blue Screens.
In short, there is obviously more going on than just a problem with infected atapi.sys files.
Jim Blizzard says:
2010-02-12 at 12:00
Very nice work Patrick,
We have seen this occur on a few machines at the FAA so I wrote a vbscript to loop through an .xls of machines and record the MD5 Checksum. Thought it may come in handy for yourself and some of your readers..
http://home.comcast.net/~jblizz/Atapi_MD5_Checker.zip [comcast.net]
Re: (Score:2)
They could just have their update installer flip shit if checksums don't check out right, and refuse to take any actions. That would be the sane default anyways...
Re: (Score:2)
Re: (Score:2)
Well if I'm reading this right, this one at least didn't catch filesystem writes...
Re: (Score:2)
Windows is already "bug for bug" compatible in many cases, though for the sake of real applications rather than trojans, of course. If you read The Old New Thing (Raymond Chen's blog), he often details some of the undocumented assumptions and accidental behavior that had to be supported for a long time just because some very popular software out there relied on it to work.
It's the unfortunate consequence of having backwards compatibility as a major feature - when it breaks for whatever reason when a new ver
Re: (Score:3, Insightful)
Do you have any evidence or are you just spouting off bullshit? No need to answer, it's a rhetorical question.
Seriously though, guys/girls like yourself need to get a fucking grip. When you say "M$" you sound like a tool. When you cry foul when there is none you sound like a tool. When you make baseless accusations against someone because they are trying to inform people of a potential rootkit problem you sound like a tool.
Summary: You sound like a tool and people won't listen. So any future complaint or cr