There are indications that the system crashes and the dreaded blue screen of death (BSoD) that many Microsoft Windows users reported suffering after installing this week’s batch of security updates may be caused at least in part by malware infestations on the affected machines.
Patrick W. Barnes, a systems administrator at Cat-man-du, a technology services firm in Amarillo, Texas, said at least three different customers came into his shop with the same blue screen of death after installing Tuesday’s patches on their systems. Barnes said that on closer inspection, he found that each had been previously infected with a rootkit, a set of tools sometimes installed by malware that are designed to hide the presence of the infection on the host system.
Barnes said he traced the problem on each machine back to “atapi.sys” — a Windows storage driver(which lives in %System32\drivers\). When he sent the atapi.sys files that were on the customer machines up for a scan at Virustotal.com, the results suggested malware had injected itself into the system file.
That Virustotal scan pointed at a stealthy rootkit that goes by several different names, including “TDSS” and “Pakes”. For its part, Microsoft’s Security Essentials anti-virus tool detects the invader as Win32/Alureon.A.
Interestingly, Alureon is among the Top 10 threats that Microsoft’s various security technologies — including its “malicious software removal tool” — regularly detect on Windows systems. According Microsoft’s own Security Intelligence Report, Microsoft’s security products removed nearly 2 million instances of Alureon from Windows systems in the first half of 2009 alone, up from a half million in the latter half of 2008.
Barnes said “atapi.sys” makes an attractive target for a rootkit because it is a core Windows component that gets started up early as Windows is first loading. “It’s started up every early in the boot process, and because of that it makes these kinds of threats sometimes very hard to detect and remove,” Barnes said in an telephone interview with krebsonsecurity.com.
Replacing the compromised atapi.sys file with a clean, known-good version will get affected systems booting normally again, Barnes said. He has instructions for doing just that at his blog. You’ll need to have a copy of the Windows installation disc handy.
I’d urge anyone who has already recovered from a BSoD or infinite reboot loop after installing this week’s patches to scan their systems with several different security tools, as the rootkit buried in atapi.sys is likely just there to hide the presence of a larger, more systemic malware infection. Restoring from a known-good backup would be ideal, however most home users sadly do not have backup images to rely upon.
ESET, F-Secure, BitDefender, and several other AV vendors offer free online scanners that can remove malware. In addition, F-Secure offers a free Blacklight tool that does a great job scanning for and removing rootkits. In addition, McAfee‘s free Stinger tool can scan and remove many threats.