Microsoft Confirms Update-Linked BSODs Required Compromised Machines

Trailrunner7 writes "Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit. There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit." That seems a harsh way to find out that your Windows machine has been rooted.

But better than not finding out at all.

[dmgxmichael]

Now, I wonder who the first poster is going to be to demand Microsoft test their patches for compatibility with viruses and malware?

Re:

[bigredradio]

First post...that would be you sir.

Re:

[Jugalator]

First post...that would be you sir.

That was a demand?

Re:

[__aasqbs9791]

In his defense, the people of Big Red Radio's home planet are extremely polite. I, for one, welcome our Overlords, is actually a variation of their standard greeting.

Re:

[jonadab]

He didn't demand anything of the kind. He only suggested it, if anything in a way that implied it would be an unreasonable expectation. Which it would be, because, frankly, once you become aware that a system has a rootkit installed, the only sane thing to do is a complete format and reinstall.

Well, you can do some forensics first if you want, and maybe copy off some data (if you're careful about how you do it so as not to infect any system you copy it to). But you're going to boot from known-clean (and,

Re:

[Rockoon]

How about queue up the idiots who demand that microsoft do a checksum on the files it patches...

..because in their universe, files that have been over-written still contains bits of the old files that will execute and cause blue screens.

Re:But better than not finding out at all.

[Anonymous Coward]

The rootkitted library was not a part of the update, just one of the libraries it was using. You should demand that your rootkit vendor stick to published APIs to avoid this in the future.

Re:

[rve]

The rootkitted library was not a part of the update, just one of the libraries it was using. You should demand that your rootkit vendor stick to published APIs to avoid this in the future.

An OS update shouldn't break third party applications such as rootkits. Many people's livelihoods depend on these rootkits. Did you guys at MS even consider how difficult it is to retroactively patch infected torrents once they're out on the net?

Re:But better than not finding out at all.

[ashridah]

When the rootkit has complete, unrestricted access to the system, *it can do anything it wants*. there really isn't a way to stop it, unless you've forced it into a lower-security prison (aka, user-level).

If it wants to pick a random memory address that it's hard coded and jump to it, it can do it. the cpu's not going to stop it, and windows is not responsible for fixing that. You may as well ask for the linux kernel to stop a rootkit module from rewriting the software interrupt vector tables and hooking into system calls. If it has write-anywhere memory level access (and it does, it's in the kernel during initialization, launched by root), then it can write bytes to memory, anywhere it chooses. if you then upgrade to a kernel with a different system call table layout due to an improvement, and the malware doesn't self-correct? boom!

Now, solutions to this involve things like virtualization and sandboxing, but we're not quite there yet. I wouldn't actually mind seeing an operating system take advantage of VT and other things to produce an OS with a secure core, that self-verifies and only accepts signed updates.

Re:

[antek9]

May I point you to the PS3's operating system, then? It's taken years, a hardware hack, and an ingenious hacker to even bypass the hypervisor on the system, and even then he's not even close to running arbitrary (unsigned) code on the box. My 2 cents: your last paragraph scenario is already possible and being implemented, just not by every vendor.

Microsoft might want to cut Sony's engineers some slack there. And yes, I do know the downside to it: everything, every single application would have to be signed

Re:

[TheLink]

> every single application would have to be signed and greenlighted by Microsoft

Not so viable for Microsoft given their monopoly status (assuming the regulators aren't asleep), and backward compatibility reasons.

They'd have to do things a different way.

Re:

[The Archon V2.0]

files that have been over-written still contains bits of the old files that will execute and cause blue screens.

Why not? DNA contains bits that will de-evolve you back into a frog or lizard or caveman.

The Archon V2.0
Graduate, Starfleet Academy biology program.

Re:But better than not finding out at all.

[Johnno74]

Wow, nice way to find/create an anti-ms slant on the story. I can respect people who bash microsoft if they know what they are talking about, but you clearly don't so no biscut.

Prolems with your theory:

1) Microsoft updates don't patch files. They replace them. Probably to avoid the issues you assume are happening here (even though they aren't). I'll excuse you for not knowing this.

2) The file that the rootkit infects isn't the file affected by the patch. The file MS patched WAS 100% clean. The rootkit was either modifying or calling the patched file using a static offset. After the patch this offset was no longer correct and the rootkit caused a bluescreen when it used it.

3) Even if the patch was a delta and not a whole file, and the file to be patched was the infected file, and if the patch _did_ checksum the file first then the checksum would not have revealed anything was wrong. Do you even know what a rootkit is? A rootkit, by definition cloaks itself by modifying the OS so system calls will not reveal the rootkit. Read the file where the rootkit resides and the rootkit will intercept this and return the original file contents, sans rootkit.

Re:

[geminidomino]

Depends...

If MS10-015 was meant to protect against/fix Alureon infections, then yeah, it doesn't seem unreasonable to ask that it not hose the machine.

OTOH, if the fix was for something else and it just happened to go tits-up in that particular odd case, then yeah, MS is off the hook.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:But better than not finding out at all.

[TubeSteak]

Don't worry, it looks like the malware authors have already rushed out an update for their rootkit
http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html [prevx.com]

Re:But better than not finding out at all.

[dhavleak]

I think that award goes to to Timothy -- our fearless fudding editor. I mean, consider how he ended TFA: "That seems a harsh way to find out that your Windows machine has been rooted.".

Alright, maybe that's a harsh assessment, but after countless other posts like this I'm not inclined to give him the benefit of doubt. Let's recap:
1. The Alureon rootkit isn't new, and should be detected by any AV worth it's salt
2. That being the case, affected users were not running AV, or were infected before they installed their AV.
3. Affected users are running a 10-year old OS.
4. More recent OSes (64-bit Vista and Win7) have inbuilt measures that render Alureon ineffective (PatchGuard - which checks for signatures on kernel modules).
5. 32-bit Vista and Win7 would be immune as well if the AV cartel had not threatened to approach the DOJ with antitrust complaints if MS implemented PatchGuard in the 32-bit versions.
6. MS has made online scanning tools, a malware removal tool, and a free AV/security suite (MS security essentials) that any of the affected users could have used, prior to the update, and they would have been fine.

So now, short of forcibly enrolling users in "install and run AV 101", what else could you be calling for, Mr. Timothy (editor) when you say that you think this is a particularly harsh way to find out that you've been infected? What the fuck else do you think MS should do? Go back in time, and fucking add patch guard to XP before they release it? I'm really fucking interested in hearing your opinion on this.

Re:But better than not finding out at all.

[smash]

I have no problem with patches bluescreening rooted boxes. If your box is rooted, the only way to e sure to fix it is a reinstall - having patches try to work around rootkit installs is retarded. If you don't know you're rooted, then too bad. Learn to maintain your pc/network.

Re:

[dhavleak]

Amen to that.

I mean, we know there are technophobes out there. We know there are people who just can't understand the importance of running up to date AV, latest updates etc., or simply can't figure out how to do it -- but seriously -- what can you do for such users. You can make your OS more and more secure with it's default settings. You can make free online scanners available. You can make free AV avialable. In as far as you don't get dragged into court for retarded reasons, you can try to make your ke

Re:But better than not finding out at all.

[poena.dare]

Dear Microsoft:

Please continue to turn off user's computers which are compromised. If at all possible, please display a message directing anyone in my zip code that I'm available to fix it for them at competitive prices. I really need the work.

Re:

[Garridan]

Oh snap! Your computer crashed because it had malware! Harsh man, that was real harsh. Couldn't the rootkit like, call you up and say "hey man, I'm in ur system, mining ur dataz", rather than just crash? That would be a lot more convenient, and significantly less harsh. I mean, what are they going to do next -- make the computer insult you, too?

Re:

[mrmeval]

That seems a harsh way to find out that your Windows machine has been rooted.

I wish every update had such a botnet killer in it. Damn that would be sweet. I'm tired of the spam and the bandwidth killing. Failing that we could enact a government tax of 25cents an email. HA!

Q: Would it be possible to run a hypervisor as part of an OS so that the OS maintainer be it the evil empire or ahbuntu could detect and eradicate malware and virii? I've done similar with ghost in the past but I am not up to speed on virtual machines yet.

Re:But better than not finding out at all.

[Pharmboy]

Now, I wonder who the first poster is going to be to demand Microsoft test their patches for compatibility with viruses and malware?

To be fair, Microsoft is year ahead of Linux in this area. Linux isn't compatible with almost every kinds of virus/malware. Wine is helping by providing the APIs needed for some malware, but Linux (iptables in particular) still interferes with the proper operation of some of these programs. Like it or not, if you want to run these malware programs reliably, you should stay away from Linux. At least Microsoft lets you run *most* of these viruses after an update.

Re:

[gig]

Why don't they just make their operating system incompatible with viruses and malware? Somehow everybody else manages it.

Re:But better than not finding out at all.

[lgw]

Actually, they do. However, Windows Update will apply patches before doing malware removal - I've never quite understood why that was the preferred order.

Re:But better than not finding out at all.

[smash]

Maybe because if you're not patched, you'll often get re-infected before the update is completed?

Re:

[ozmanjusri]

The did get Mark Russinovich's Rootkit Revealer when they grabbed Sysinternals, so it would make sense that they include a scan.

Having said that though, it looks like it hasn't been updated since Microsoft took it over.

Re:

[Aphoxema]

Some rootkits are intentional, like some viruses (I guess they're not really viruses then). As an option, sure, but as a regular part of the update process it can be dangerous.

Not that harsh

[bigredradio]

Yeah a BSOD is harsh, but finding your bank account mysteriously drained of funds is more harsh. At least they found out.

The un-harsh way

[hey!]

[A Microsoft representative comes to a System Admin's place of work for a little meeting.]

MR: Thanks for making time to meet with me.

SA: No problem. So what's this all about?

MR: I don't know how to say this, but it seems that you... well you aren't entirely in control of your systems.

SA: You mean you're selling a new management tool?

MR: No, no nothing like that. It's just that there are certain things... Well let's say there are things about your system that you don't know that you really ought to be aware

Better than not knowing that you've been rooted

[jandrese]

The bluescreen may be painful, but it is far less painful than having your information stolen by criminals. Assuming of course the people who own the machines are savvy enough to properly install their firewalls and virus protection next time.

Re:Better than not knowing that you've been rooted

[Locutus]

it was probably about 6 years ago when a number of goverment offices American Express, and others including CNN had their computers BSODing. CNN even stayed on the air for a few hours just talking about how the computers were all rebooting. The cause of that was that the computers were part of a botnet and an update to the botnet caused BSODs.
In plain language, many government computers and businesses computers have been infected without them knowing it. And as I mentioned, large companies with financial ties like American Express. You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

Now I wonder if this is what took out all those Norfolk VA computers. The ones which it was said that they don't think it was something they got off the internet but in the same breath said they don't know what caused it or how it got there.

LoB

Re:

[Anpheus]

You can't secure any unverified code without unplugging it. And verifying, truly verifying code is expensive and laborious and will likely never be done for something as huge as Windows or a Linux distro.

Unfortunately, the cost-benefit analysis of verifying code against a spec and proving the security of it shows that it's not worth it in the vast majority of situations.

Re:

[geekprime]

Couldn't a deep packet inspection reveal the botnet behaviors regardless of how good the rootkit was?

Sounds like a home router feature to me...

Re:

[X0563511]

SSL or any other common encryption scheme throws that out the window.

Re:

[smash]

Yes, you would.

Encryption/obscuring traffic helps hide it, but if the volume is in any way significant, a competent admin will spot it and note as suspicious regardless of whether or not he can see what the traffic actually contains.

You don't have to.

[khasim]

All you need to do is verify that the files on the drive are the files released by the vendor(s). An extra step would be to make sure that they're the most recently patched versions as well.

That can be done with a bootable Linux CD and a list of the various files, their locations and different checksums of each of them.

Anything that isn't on that list is suspect and can be quarantined.

The advantage of a system like that is that it is easy to use to spot even unknown rootkits.

Re:

[Anpheus]

You're missing the point, unverified code is insecure code. Whether that's Windows or Linux.

For example, can you prove without a doubt that there exists no kernel or kernel module flaw that could result in running arbitrary code from an innocuous file on the filesystem at boot time? No, not even close. There's simply no way you could make that claim.

While it's improbable that such flaws exist in the Linux kernel, it's entirely possible. It's possible that there exists a flaw that allows hijacking a running

Re:

[cusco]

"a bootable Linux CD"

Work in the real world much? The network that I'm currently plugged into has 69,000 workstations on it, and 27,000 servers, plus another couple thousand ancillary computers like DVRs and cash registers (yes, they all run Windows). The hospital that I'm going to be working at tomorrow has over 1200 nodes on its network of which at least a hundred are considered non-rebootable life-safety systems (yes, almost all of those are Windows). That brilliant idea might work at your home off

Re:You don't have to.

[Locutus]

good points but I really would not worry about someone laughing at you when they have put Windows on life-safety system or any mission critical system.

LoB

Re:Better than not knowing that you've been rooted

[bertok]

it was probably about 6 years ago when a number of goverment offices American Express, and others including CNN had their computers BSODing. CNN even stayed on the air for a few hours just talking about how the computers were all rebooting. The cause of that was that the computers were part of a botnet and an update to the botnet caused BSODs.
In plain language, many government computers and businesses computers have been infected without them knowing it. And as I mentioned, large companies with financial ties like American Express. You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

Oh, I assure you, they know about it. They're just too incompetent to do anything about it.

I was once at a large bank, and I was warned not to plug my laptop into the bank's network. At first I was thinking "this must be for security reasons, they clearly don't (and shouldn't) trust some random consultant's laptop on their network", but then I was told that it was for my own protection. Apparently the bank network was so lousy with viruses that a laptop without the latest patches would last only minutes before it was rooted. I keep my work laptop patched, so I did plug in. I ran Wireshark for a few minutes, which detected about a dozen hack attempts on my machine. On top of this, many of their servers were running ancient versions of windows, many at RTM patch levels. I suspect they were all infected, but I didn't have a chance to look into it.

It's not just one or two financial institutions, from what I gather, many of the larger ones have infections.

This is what excessive bureaucracy does to IT: the amount of paper work required to approve a patch is so onerous that IT managers simply don't patch servers. The paper work is meant to prevent the minor problem of 'unapproved' patches causing disruptions, but the end result is even worse, which is unpatched machines with rampant infections.

Re:

[El_Oscuro]

Where is my +1 Scary mod?

Broaden their test base

[Itninja]

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

Re:

[The Angry Mick]

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

WHile I'm not sure how they would go about testing against future viruses, short of bringing Johnny Carson's Carnak out of retirement, you would think that at the very least they could add a rootkit scanner to the front of the update. That way the update could fail gracefully with a note explaining why it couldn't proceed, along with a list of steps necessary to get the system clean, and helpful

Re:

[dave562]

And how is that going work? They're going to ship out their patches on DVDs that you have to boot the machine from? People already bitch about having to reboot their servers once a month. Can you imagine having to physically visit every server with a DVD / USB stick? Give me a break.

Re:

[X0563511]

Apparently you know little about this rootkit.

It gets updated daily, sometimes more often. The crackers are working in realtime to keep it ahead of security.

Re:

[Itninja]

You need to learn how to slipstream all that stuff into one install disc. It's way faster...

Re:

[kent_eh]

You need to learn how to slipstream all that stuff into one install disc. It's way faster...

Except he didn't have install disks

they were well known brands without os install disks,

Re:

[jack2000]

God forbid they clone a windows disk from a friend and use that as the basis for their slipstreamed cd... geez you people have NO imagination!

Re:

[smash]

Then copy one. If you have a valid product key, you have a valid license. The media is not what you are paying for, and copying the media is totally legal, so long as you're using it with a valid license.

Re:

[Jaysyn]

Even better, slipstream the damn things with nLite.

Re:Broaden their test base

[zappepcs]

Just have patches issued by McAfee and Symantec... that will fix the problem, for certain.

Re:

[smash]

IF (OS_VERSION = "Windows XP/Vista/7" AND adminCompetence=NONE) then MALWARE_FOUND = TRUE;

fixed for you.

Most effective mechanism for making a safer 'net

[Nzimmer911]

I think that this approach should become the industry standard for retaliation against malware. What better way to force complacent users to cleanup their machines than to disable them? Less botnets = more bandwidth for the rest of us.

Re:

[juventasone]

Some ISPs notify their customers if they're participating in a botnet, and cut their service is nothing is done about it. They're only doing it out of their own interest, but I wouldn't mind federal governments making this mandatory.

This isn't the first time that an update from Microsoft breaks an infected PC. It's not something they plan or test for, nor should they.

Huh? I thought Netcraft confirmed it was dead?

[Anonymous Coward]

Huh? I thought Netcraft confirmed that BSD was dead. Oh waaaiiiitttt... BSOD
Ok nevermind

Good

[pwnies]

That seems a harsh way to find out that your Windows machine has been rooted.

Or a good way, as it will force people to find a way to fix it. Who knows, maybe it will even teach some people some things about the dangers of rootkits.

Re:

[mlts]

Even better, it gets the machine off the net, so other people are not victims of DDoS attacks, spam, automated scans, and other crap that might come from a botnet client.

I admit I sound like a jerk here, but I'd rather have a machine with a BSOD than a rootkitted box. Reinstalling or reimaging a machine may be a bit time consuming, but it is nowhere the time it would take to recover access to compromised bank accounts, Web accounts, gaming, and dealing with identity theft issues.

Re:

[couchslug]

"I admit I sound like a jerk here,"

No, you don't.

Lusers (the term fits in this case) don't care about securing their machine unless it gets broken. Malware that breaks machines provokes an immunue response, while parasitic malware usually does not.

No Worries

[organgtool]

That seems a harsh way to find out that your Windows machine has been rooted.

Don't worry, I'm sure the author(s) of the rootkit released a patch within 24 hours that automatically updated the infected machines to make the rootkit "compatible" with the security update.

Re:No Worries

[snowraver1]

Prompt, efficient and convienient! Where can I buy this Root Kit?

Re:

[mmontour]

Prompt, efficient and convienient! Where can I buy this Root Kit?

Sony will sell you one although it's not 100% compatible with the industry-standard ones and it lacks the features of the rootkit described in this article. On the plus side, Sony bundles a free music CD with theirs.

(Yeah, I know they've allegedly stopped doing that. Never forgive, never forget.)

Don't worry

[wiredog]

The malware has been updated [theinquirer.net] so that it won't cause a crash.

Re:

[Megahard]

If people would keep their machines updated with the latest rootkit and virus patches then this wouldn't happen.

Zero-day

[Anonymous Coward]

This was a zero-day exploit that the virus writers didn't know anything about.

They got the patch out as quickly as they could.

Re:

[shutdown -p now]

See? Many eyeballs do make bugs shallow!

I wonder who else is preparing a patch...

[TheNarrator]

I wouldn't be surprised if the rootkit authors were at work on a patch for this BSOD. They will of course send it out via auto-update.

Well at least the Norfolk town IT can rest easy

[Parallax48]

Sounds like we found the explanation for the Norfolk issue:
http://news.slashdot.org/story/10/02/17/196230/Time-Bomb-May-Have-Destroyed-800-Norfolk-City-PCs-Data [slashdot.org]

Be Gentle

[e2d2]

That seems a harsh way to find out that your Windows machine has been rooted.

What do you want? Some cuddling before breaking the bad news?

"Sweety.. you got rooted" .. as it goes in the _wrong_ hole.

Re:

[Anonymous Coward]

Wait, there is a _wrong_ hole???

Re:

[Maestro485]

I'm a rootkit, and Windows 7 was my idea!

bsod

[confused one]

That seems a harsh way to find out that your Windows machine has been rooted.

There are plenty of people who think that tracking down all the machines in these botnets and disabling them is a reasonable way of dealing with the problem.

Re:

[characterZer0]

That is the only effective way of dealing with the problem.

The alternatives are to ignore the problem.

Re:

[kent_eh]

I've read an article about this, it mentions the possibility of such a machine handling the life support systems in a hospital. Major lawsuit there.

Yeah.
A lawsuit for whoever had an internet connected machine running a life-support system and set to auto-update.

Software updates on mission-critical systems should only happen manually, and after strict auditing.
I won't even bother addressing how much of a bad idea it would be to have a life-support machine able to access (or be directly accessed from) the internet.

Malicious Software Removal Tool

[HTH NE1]

So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?

Re:Malicious Software Removal Tool

[lgw]

I would hope so. But the malware removal tool runs last in the Windows Update process. I've never understood why.

Re:

[initialE]

It runs _slow_. Gets to the point where many people I know purposely choose to do a shutdown w/o updates rather than "install updates and shut down".

Last October, Dude

[westlake]

So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?

Virus:Win32/Alureon.A [microsoft.com] Definition: 1.69.77.0 Released: Oct 23, 2009

Re:

[drinkypoo]

Note that this entirely insightful comment has been modded Funny, so that it will already be score 5 without the poster's karma being incremented, thus effectively preventing the karma boost. This is the new form of astroturfer mod trolling. Expect to see a lot more of it soon.

Re:

[HTH NE1]

I don't mind getting zero karma for it. Unfortunately, there are people (including personal friends) who use their settings to treat Funny mods as a -1 or less and thus won't read it.

Good Job, Microsoft!

[Culture20]

And I mean that sincerely. Please BSOD more botnets.

But the fix will break Alureon!

[John Hasler]

> Users affected by this problem can fix it by replacing the infected driver
> with a new one via the system console.

But that would break Alureon! Is an update available for it?

Re:

[Pyrus.mg]

As mentioned above if you are an Alureon user an update has already been surreptitiously deployed to your pc and you can safely let Microsoft secure your system without losing any Alureon functionality.

Microsoft's Malicious Software Removal Tool

[QuietLagoon]

Doesn't it work?

When is it not harsh?

[multimediavt]

That seems a harsh way to find out that your Windows machine has been rooted.

I don't know about anyone else, but I would think that any way you find out your machine is rooted is going to be harsh. Sure, the not booting thing is annoying (still don't know why Windows or Intel/AMD chpsets don't support a Target Disk Mode for events like this), but finding out that someone else has had free reign over your machine for who knows how long (whether it is currently booting or not) is a harsh reality.

Re:

[jimicus]

I really do wish it was that simple.

The simple fact of the matter is that even with all the security turned on, even with all the updates being installed automatically you still can't avoid the odd rootkit. And there are several modern rootkits which are really hard to spot - most AV packages won't prevent them and they don't take over the machine to the point where you start to think "hang on a minute..... there's something wrong here".

Re:

[smash]

Yes you can.

Use the tools provided (firewall, AV, security zones, certificates for any secure sites you build for your intranet, etc), don't do dodgy shit on your box, and you won't get rooted.

In the past, I've had Windows boxes rooted, I've also had linux boxes rooted (via sendmail, DNS, etc). Since maintaining/securing them (even half-arsed), I haven't had a problem in the past 10 years.

Hint: "dodgy shit" includes installing "free" shit from untrusted sources.

Re:Dumbass users..

[jimicus]

48 hours ago I was notified of a laptop with a rootkit.

And I can tell you now, that laptop wasn't running slowly.

It wasn't redirecting web requests.

It wasn't doing any of the things you might associate with rootkits. Yet replacing the AV with an alternate product and the alternate product detected several real issues.

Frankly, if I hadn't been notified by our bank (whose security company had managed to get a site shutdown and get a list of all potentially compromised accounts) I would never have had a clue. I concede that the user had admin privs on their laptop but I'm given to understand that even that isn't a huge barrier to a lot of modern rootkits. Thank Christ the bank in question doesn't allow you to do anything without the use of a separate security device they ship you.

Talk about a rock and a hard place. I can't trust the laptop at all, and it was infected while running a regularly-updated copy of Symantec AV Enterprise which suggests I can't necessarily rely on AV software to do what it says on the tin. Windows is obviously a lost cause unless I want to spend the rest of my live playing whack-a-mole yet I don't think the Powers that Be will stomach a move to Linux (even though most of them haven't used Windows-specific software in years).

Answers on the back of a postcard....

Re:

[smash]

Symantec is shit. Users should not have admin on business machines. They should also not be going out via unfiltered internet connection to whatever dodgy website they like and mail should be screened for questionable content. If you think that this sort of thing wouldn't be happening on Linux (or anything else) if it had so many clueless users in business settings using the product - you're deluded.

The network doesn't lie...

[gravyface]

Setup a non-transparent proxy, push out proxy settings to all your users (with GP or whatever, or do it manually), drop egress Web/IRC traffic. Now sit back and watch your firewall logs for alerts (or better yet setup syslog-ng or Kiwi Syslog Server to send you alerts) -- anything banging against the firewall is something you need to look at. Why? Because malware is rarely proxy-aware -- it assumes (rightfully so) that people either use transparent proxies or have no outbound filtering setup so when it tr

Dual Boot Linux

[Anonymous Coward]

Linux is so easy now, just dual boot and do banking from Linux. Then your worries would be much reduced.

Re:Dumbass users..

[X0563511]

and haven't gotten a virus, rootkit, or other miscellaneous malware in years. ... that made itself known.

Re:Not tech people!

[lgw]

Yes, your solution involving non-technical people reading the text of pop-up messages will surely work. Especially a message that looks exactly like some malware, and which they've likely been warned to ignore. The taskbar icon that was added specifically to warn people to "install a firewall/update your browser/ run your AV" didn't work, but adding yet another pop-up will surely work this time.

Re:

[archangel9]

Maybe an error message saying "We detect that your machine is infected with a rootkit, all of your personal information is in danger of being stolen. Please install a firewall/update your browser/ run your AV". That way, instead of confusion and anger from a BSOD, the user will be educated and possibly secure their system.

I see those words on the screen all the time. The problem is, they're delivered by cleverly-designed socially engineered Malware. The next generation of Malware will do the same thing and imitate the "new" default messages that Windows gives. How many people per day/week/month fall for the same "Your system is compromised, please click here and purchase this product" every day, regardless of the bad grammar and spelling contained in the message? As long as I've been in IT, there still isn't a good way t

Re:

[ColaMan]

We detect that your machine is infected with a rootkit, all of your personal information is in danger of being stolen. Please install a firewall/update your browser/ run your AV"

Typical user response:

OMG WTF IS THIS SHIT I JUST WANT TO PLAY ONLINE POKER WHAT IS MICROSOFT DOING I DONT UNDERSTAND!?!?!

Re:Not tech people!

[BradleyUffner]

However (in a perfect world), if MS validated the files before patching/updating them, the user could be warned of their infection before their machine gets trashed.

Root kits are designed to hide their presence from the operating system. They can hook file system calls and return what looks like the proper version of the file to anything trying to read it. Once something is hooked into the machine at a low enough level the only way to detect it would be to boot from non infected start up disk and scan the infected volume.

Re:

[Skuld-Chan]

I haven't seen this myself - and I have a lot of Windows 7 x64 machines :/.

Re:

[Dan Ost]

I'm not. They probably wipe and reinstall all their lab machines every time they test.

Re:

[ashridah]

That's pretty much the case for the labs. We roll out updates internally first to give them a bit of a bash to watch out for issues, but 30k+ systems is not the same as a worldwide launch. Additionally, there aren't really that many user-grade XP systems left here, for obvious reasons.

Re:

[wampus]

Or maybe your issues have nothing to do with this update or the rootkit.