Microsoft confirmed today that the recent spate of Windows XP crashes and blue-screens experienced by people who installed this month’s batch of security updates were found mainly on systems that were already infected with a rootkit, a tool designed to hide malware infestations on host computers.
The folks at Redmond initially suspected rootkits may have played a part in the interminable reboot loops that many Windows users suffered from following February’s Patch Tuesday, but the company also said that it couldn’t rule out the possibility that third-party hardware and software conflicts might have also been to blame. Today, Microsoft rejected the latter possibility, and said it had concluded that the reboot occurs because the system is infected with malware, specifically the Alureon Rootkit.
“We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software,” wrote Mike Reavey, director of the Microsoft Security Response Center. “The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state. In every investigated incident, we have not found quality issues with security update MS10-015.”
Indeed, as I noted in a post earlier this week, Alureon is among the Top 10 threats that Microsoft’s various security technologies — including its “malicious software removal tool” — regularly detect on Windows systems. According Microsoft’s own Security Intelligence Report, Microsoft’s security products removed nearly 2 million instances of Alureon from Windows systems in the first half of 2009 alone, up from a half million in the latter half of 2008. [Microsoft's malicious software removal tool is a download offered through automatic update and Windows update that runs in the background once a month, and removes any malware it finds.]
Microsoft’s guidance for people who have been affected by this leaves a bit to be desired. The company says users should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software. Microsoft also says it is working on a simpler solution to detect and remove Alureon from affected systems which should be released in a few weeks, as are several other third party vendors.
Obviously, if you are having trouble getting out of the reboot loop caused by this patch+infection, you are not going to be able scan your system with a traditional anti-virus program. I have posted instructions here on how to manually remove both the problematic patch and the infected system files. But folks who have recovered their systems through these methods should strongly consider scanning their systems for additional malware with several anti-virus tools. I list a few free online scanners at this blog post, but be aware most of those require users to install ActiveX controls and to use Internet Explorer.
If you want to be doubly sure, I would suggest booting your computer into a Live CD solution that is centered around removing virus infections, such as the AVAST! Bart CD or LinuxDefender Live! I wrote a short tutorial on how to burn and boot into a live CD at this link here.