February 12, 2010

There are indications that the system crashes and the dreaded blue screen of death (BSoD) that many Microsoft Windows users reported suffering after installing this week’s batch of security updates may be caused at least in part by malware infestations on the affected machines.

Patrick W. Barnes, a systems administrator at Cat-man-du, a technology services firm in Amarillo, Texas, said at least three different customers came into his shop with the same blue screen of death after installing Tuesday’s patches on their systems. Barnes said that on closer inspection, he found that each had been previously infected with a rootkit, a set of tools sometimes installed by malware that are designed to hide the presence of the infection on the host system.

Barnes said he traced the problem on each machine back to “atapi.sys” — a Windows storage driver(which lives in %System32\drivers\). When he sent the atapi.sys files that were on the customer machines up for a scan at Virustotal.com, the results suggested malware had injected itself into the system file.

That Virustotal scan pointed at a stealthy rootkit that goes by several different names, including “TDSS” and “Pakes”. For its part, Microsoft’s Security Essentials anti-virus tool detects the invader as Win32/Alureon.A.

Interestingly, Alureon is among the Top 10 threats that Microsoft’s various security technologies — including its “malicious software removal tool” — regularly detect on Windows systems. According Microsoft’s own Security Intelligence Report, Microsoft’s security products removed nearly 2 million instances of Alureon from Windows systems in the first half of 2009 alone, up from a half million in the latter half of 2008.

Barnes said “atapi.sys” makes an attractive target for a rootkit because it is a core Windows component that gets started up early as Windows is first loading. “It’s started up every early in the boot process, and because of that it makes these kinds of threats sometimes very hard to detect and remove,” Barnes said in an telephone interview with krebsonsecurity.com.

Replacing the compromised atapi.sys file with a clean, known-good version will get affected systems booting normally again, Barnes said. He has instructions for doing just that at his blog. You’ll need to have a copy of the Windows installation disc handy.

I’d urge anyone who has already recovered from a BSoD or infinite reboot loop after installing this week’s patches to scan their systems with several different security tools, as the rootkit buried in atapi.sys is likely just there to hide the presence of a larger, more systemic malware infection. Restoring from a known-good backup would be ideal, however most home users sadly do not have backup images to rely upon.

ESET, F-Secure, BitDefender, and several other AV vendors offer free online scanners that can remove malware. In addition, F-Secure offers a free Blacklight tool that does a great job scanning for and removing rootkits. In addition, McAfee‘s free Stinger tool can scan and remove many threats.


43 thoughts on “Rootkit May Be Culprit in Recent Windows Crashes

  1. Carl "SAI" Mitchell

    Remember that no removal tool run from a rooted system can be sure to remove (or even detect) the rootkit. Always scan with a known-good boot cd.

    1. Dirk

      I understand that principle and use a live-CD every time I don’t trust a system for 100%. But where to find a live cd that knows enough about the latest Windows malware? So I can use it to be sure my system is save.

  2. xAdmin

    Nuke It From Orbit. (it’s the only way to be sure)!

    Rootkit = save data, format hard drive and re-install from scratch. Of course, as I always say, an ounce of prevention is worth a pound of cure.

    Also, I sound like a broken record, but regularly backing up your data is a very important part of a defense in depth strategy. It’s what will save your arse (data) when all other defenses fail!

    1. xAdmin

      It’s probably a good idea too to change all your passwords for online stuff, especially sensitive ones. Of course, do it from a known clean and secure system. With a rootkit or nasty malware of this nature, who knows what information has been lifted off the infected system!

  3. Simon Zerafa

    Hi,

    The rootkit in question is not really part of the TDSS family but may be the work of the same author.

    It is referred to as TDL3 and is updating rapidly and spreading via an unpatched vulnerability in the Windows printer spool service. The current version is v3.241 and the dropper packages and payload vary enough to slip past even the better AV packages.

    It is primarily spread via the same routes as fake antimalware and is often not removed as it’s quite difficult to detect unless you specifically look for it.

    The main symptom users report is redirection of Google and other searches to non-related sites.

    This rootkit can be removed without an OS reinstall by a competent repair technician using specialist tools or one of a few tools which will detect and remove it.

    See the Podnutz Forum posting here:

    http://www.podnutz.com/forums/viewtopic.php?f=26&t=1633

    for more information as it’s discovered.

    Kind Regards

    Simon Zerafa
    Simon’s PC Services

    1. Tom Seaview

      I usually check for this family of rootkits by searching Google for “free avg download.” An uninfested machine will find free.avg.com as one of the top results, and will successfully navigate to it. A machine with this rootkit family will redirect to various sites.

    2. AlphaCentauri

      oops:

      Domain Name: podnutz.com

      Expiration Date: 2010-02-12
      Creation Date: 2007-02-12
      Last Update Date: 2009-02-12

      Unfortunately, they will probably have difficulty getting that domain name back after all this publicity for it.

  4. Tom Seaview

    I got panned for suggesting this in the last thread. Turns out I was right.

  5. Jeff Groves

    Perhaps M$ would be well served to allow even pirated copies of Windows XP to install this security update. Might wipe out entire botnets….

    1. Ned

      They have done so at least once in the past, and I think they didn’t see any personal benefit from continuing. It could potentially hurt the company financially since it encourages piracy of their OS.

      They sometimes even restrict legitimate licensees from patching when license keys get leaked. I once traveled to Canada with a licensed copy and when I tried to patch, it gave me an error that I must do so from my home state. Thankfully they reissued the keys and now I can update from anywhere.

    2. KFritzf

      MS does let pirated OS’s download security updates and the Malicious Software Removal Tool, but not Security Esssentials.

  6. brucerealtor

    Brian

    I notice that you did not mention Malwarebytes Antimalware along with the suggested remedies.

    Any particular reason?

    1. Simon John Zerafa

      Hi,

      Once the TDL3 rootkit is running on a PC, very few tools will find it.

      Malwarebytes won’t and neither does SuperAntiSpyware unfortunately.

      Read the links on my earlier post for more information; this rootkit is changing rapidly and tools which work today may not work tomorrow.

      Kind Regards

      Simon

        1. Simon Zerafa

          Hi,

          Podnutz.com is working fine here as is the forum.

          Kind Regards

          Simon

  7. MowGreen

    ” Perhaps M$ would be well served to allow even pirated copies of Windows XP to install this security update. ”

    I’m don’t know where the misinformation stems from since Microsoft allows *any* Windows system to install Security updates as long as it’s still in any Support phase.
    http://www.microsoft.com/genuine/downloads/FAQ.aspx?

    ” Q:Do security updates require validation?
    A: Security updates are not part of WGA or OGA. You can install security updates using the Windows Automatic Updates feature or download them from the Download Center. “

  8. Don Barry

    Simple. If you run a proprietary operating system, then you are making it and its owners your master. They do not have your best interests at heart.

    Run a free/libre operating system with a community that shares with one another, and you are each the master of your domain, with many peers to help you. I recommend Debian.

    Those of you who choose Microsoft (or Apple — they are just as evil) out of convenience today will continue to pay the price tomorrow.

  9. jim smith

    That open-source zealotry and attitude is why no one invites you to parties.

    A linux-based system is more dangerous in the hands of someone who doesn’t know how to secure it than any Windows variant any day.

  10. Terry Cole

    Eh?
    “A linux-based system is more dangerous in the hands of someone who doesn’t know how to secure it than any Windows variant any day”.

    I’m retired now but that flies in the face of everything I experienced in a dozen years of running a department with over a thousand machines of all types.

    Best counterexample would be my student daughters whose cheap-as-chips Asus EeePCs came with Linux. Both their Windows desktops suffered malware repeatedly. The Linux – whether the original Xandros or the replacement, Ubuntu – never once.

  11. The Mad Hatter

    Ever notice how all the malware targets Windows? There’s a reason. The Windows security policy is flawed, and has always been flawed. Switching to a computer running OSX, GNU/Linux, BSD, or Solaris will stop malware attacks cold.

    Of course if you like malware, stick with Windows. That’s your choice.

  12. Robert_C

    i totally agree with the comments that Terry Cole & The Mad Hatter posted.
    i got my first PC in 1998 with Win98 on it & in the three years i used windows, i saw nothing but a constant barrage of viruses. it was a good thing that i kept my antivirus updated, however, constantly watching out for malware got tiresome. i started experimenting with GNU/Linux in 2000. at that time, Microsoft was hyping up Windows XP as being the most secure operating system that they released to date. it was not even two weeks after it’s release that there were serious security patches released followed by a service pack. in 2001, i decided to dump windows completely & i have been using GNU/Linux exclusively since. i have never had any malware exploits or intrusions in any of my Linux installations.

    i also would like to mention that Microsoft is still hyping it’s latest releases as being the most secure. i call that a oxymoron.

    Microsoft just does not get the concept of security…ether by design or incompetence, their products should be shunned & ridiculed until they get their act together.

    1. xAdmin

      “i have never had any malware exploits or intrusions in any of my Linux installations.”

      That doesn’t prove Linux is any more secure. Because I can say the same thing about all my Windows installations since 1995. Tell me how is that possible if Windows is so fatally flawed and Microsoft just doesn’t get security? Seriously?

      1. Robert_C

        “That doesn’t prove Linux is any more secure”

        maybe my one post does not provide proof, however, i can testify that in the last 10 years of using GNU/Linux on the web (without running Anti-Virus, Anti-Spyware software), that i was able to surf the web & not pick up rootkits or viruses or malware at all, period. you will most likely get the same testament from other Linux users.

        the Linux kernel is secure because it was designed to be secure. however, Microsoft Windows did not consider security a priority until after the internet concept got popular. it was after that, when Microsoft “bolted on” security to legacy code.

        “Tell me how is that possible if Windows is so fatally flawed and Microsoft just doesn’t get security? Seriously?”

        like i said in the above statement, however, Microsoft’s insistence on using dangerous technology like Active-X & adding propriatory extentions to standards compliant protocols while not heeding advice from the industry regarding safe coding practices just adds more problems.

        as i stated in another post, this article is about a critical system file that got changed by a trojen that was downloaded by a remote exploit.

        this kind of crap does not happen in Linux desktop installations unless they were intentionally improperly installed & / or the owner had SSH installed & enabled with no password & had a weak root password or running as root.
        Linux does not have Active-X, or a scripting host that has root access.
        all of the system files in Linux are protected because they use unix style permissions & users cannot change or modify them.

        if microsoft would have just used Unix style file permissions & did away with Active-X in Win-XP, these security problems would have virtually vanished

        1. xAdmin

          Granted, *nix OS’s are configured more secure out of the box. But, it’s not difficult to properly secure a Windows system that equals or surpasses that config using defense in depth techniques.

          As to these “dangerous” technologies, how is it I’ve used them since 1995 and haven’t been compromised in any way? It’s not so much about the technology, but about how you configure and use it! It’s about risk management.

          I really have no qualms with any non-Microsoft OS or whether someone wishes to use them. I just don’t agree with the mentality that Windows or various other Microsoft products are inherently insecure or dangerous. So, I don’t subscribe to denigrating them and touting alternatives as any real solution to the general public. To do so is just disingenuous.

        2. AlphaCentauri

          Don’t conflate Internet Explorer with the Windows operating system. The people here who have been using Windows without incident probably never use IE. It’s an abomination.

          Some websites require IE, and some of them are sites that business users have no choice but to interact with. MS is under pressure to continue the current insecure default configuration of IE in order to avoid “breaking” those websites. I wish someone at MS would grow a pair and tell those websites that ActiveX will no longer be enabled by default, give them a decent interval to rewrite their websites, then do what they know they need to do to make the default configuration of IE more secure for naive users.

  13. MowGreen

    The Mad Hatter mumbled: “Ever notice how all the malware targets Windows? There’s a reason.”

    Could that reason be that the *vast majority* of computers have Windows installed ? Well, duh.

    Security by obscurity only goes so far. When, not if, the use of Macs reaches 10% of installed platforms, then the criminals will target them, too. Mac Users are going to be easily Socially Engineered as Apple has convinced them that their OS is Secure.

    As far as the use of Linux goes …
    Linux will never be an option for most Users since the ‘nix ‘community’ is composed of self-righteous, intolerant, anti-social zealots.
    ” Welcome to Linux, now go RTFM you ‘tard ”

    Perhaps I need to smoke whatever Mad Hatter is smoking ?

    1. AlphaCentauri

      Just because a server is running a less common operating system like *nix doesn’t make it immune. Although there are more Windows machines, the Unix ones are desirable because they tend to be larger servers. And as mentioned, the owners have been told they don’t need to worry about getting infected by trojans.

      The “My Canadian Pharmacy” scam websites are known for using hijacked Unix servers running the tirqd trojan. (See http://spamtrackers.eu/wiki/index.php/My_Canadian_Pharmacy#Discovering_Hijacked_Servers ).

      You can see one of their websites right now at benurgymfoa.com, hosting its images on several hijacked servers. Here’s one:
      http://132.206.141.3/images/mcp/logo.jpg
      That’s a hijacked server running Linux at McGill University. (That server is only located in Canada by coincidence; the criminals running the sites actually have nothing to do with Canada, nor with St. Louis, MO, the home of the person whose identity was stolen for the domain registration.)
      There’s also
      http://69.169.164.46/images/mcp/logo.jpg
      which is a heating and cooling company in Utah running Linux.
      There are also servers in China, Phillipines, Venezuela, and Turkey being used for the same website and which are probably also hijacked, though it’s harder to know for sure in those cases.

    2. ringofyre

      As far as the use of Linux goes …
      Linux will never be an option for most Users since the ‘nix ‘community’ is composed of self-righteous, intolerant, anti-social zealots.
      ” Welcome to Linux, now go RTFM you ‘tard ”

      Never once in 16 years having run and administered various distros have I ever come across or displayed that attitude. Time to reintroduce yourself to your myopic, gullible man pages.

      1. MowGreen

        ringofyre claims:

        ” Never once in 16 years having run and administered various distros have I ever come across or displayed that attitude. Time to reintroduce yourself to your myopic, gullible man pages. ”

        Really ? Then perhaps you need to read the comments posted to this article. They are exactly the kind of comments that are posted from “Linux zealots” that are generated by *any* article that discusses Windows:

        Restart issues after installing MS10-015? Microsoft wants your help!
        http://blogs.zdnet.com/hardware/?p=7330

        I won’t bother calling you any names as that appears to be a specialty of the ‘nixers and WinNutz.
        BTW, I do run Portable Ubuntu on Windows 7 but I’m not a name calling, intolerant OS zealot. I just look like one.

    3. xAdmin

      While I really don’t care what OS someone chooses to use. It should be noted that the desktop wars are over. Linux remains a niche OS. Windows still dominates the computer ecosystem with 90+% of the market.

      Although there were calls years ago that Linux was going to give Windows a run for its money in the near future, Linux has fallen off the face of the map from a usage perspective. While there are probably more people using Linux on the PC desktop today than ever before, Linux simply hasn’t kept up with overall PC industry growth. While Mac OS X has crept up. Linux, at best, is flat.

      Security by obscurity! ;P

      1. Robert_C

        Spoken like a true Microsoft evangelist.
        are you being paid from Wagner-Edstrom for shilling for microsoft under their “perception management” program, or are you a microsoft employee.
        enquiring minds want to know.

        all i can say is that because of you stating them false facts, just like all of the other microsoft shills, all over the net, is the dead giveaway that you are, in fact, one of them. they all post the same thing word by word.

  14. Brandon

    I used vipre, and it found the rootkit file, and successfully deleted it.

    I was visiting my parents this weekend. They had the BSOD since tuesday on their XP machine. I changed the atapi file, through repair. I was then able to boot, and ran vipre full system scan, it found it in the last few minutes of the scan.

  15. Robert_C

    @alphacentauri
    “Just because a server is running a less common operating system like *nix doesn’t make it immune. Although there are more Windows machines, the Unix ones are desirable because they tend to be larger servers. And as mentioned, the owners have been told they don’t need to worry about getting infected by trojans”

    in the first place, the unix server was not comprised by a remote exploit, in most cases, it was because of the administers incompetence by having SSH enabled with weak or no passwords, thus making it easy for someone to take control of the “root” account on the server & installing the malware.
    otherwise, the server was still working & doing it’s job & did not crash or go down.

    this Article however, is discussing how a critical system file has been changed by malware in windows just by a trojan that most likely was picked up by IE just by landing on a webpage that had the exploit.
    this IS considered a remote exploit.
    the users that was affected by this issue had no idea that this trojan existed on their PC. apparently, their antivirus did not work or even notify the owner/user that there was a system file compremise.

    another thing to point out is that
    desktop Linux & Linux servers are two different things. if i go to a website that would infect a windows PC, in Linux, not having WINE installed, nothing happens.
    also, *Most* Linux users are security minded & we don’t run as root on the internet.

  16. PhantomTramp

    Dr. Web’s boot CD finds and cleans this one. That’s how we found out about it. GMER, I think, sees it, too…

    The Tramp

  17. JBV

    Brian:

    I’m confused. You say that the “malicious software removal tool” regularly detects this threat. Does that mean it removes it?

  18. Al

    Some more info on the Tidserv/TDL3 malware and the Microsoft MS10-015/KB977165 patch.

    Symantec’s analysis of MS Patch, Tidserv malware, and resulting blue screen of death:
    http://www.symantec.com/connect/blogs/tidserv-and-ms10-015

    PrevX story about updated patch-compatible version of Tidserv rootkit:
    http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologizehtml
    (Sarcastically, PrevX said that the)
    “Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.”

  19. Pauper

    Say what you will about the different OSs out there, but rootkits are here to stay! Antivirus can’t detect them since they boot before the OS does, so the solution lies in a boot CD that can scan for them on a remote (same machine) drive.

    Since windows machines seem to be the popular target, and without going into discussion as to why, having a database of the system32 files popularly used, as well as CRCs and MD5s of the files would help, especially when comparing live files with their cached versions.

    Possibly a rip on the sysinternals system which connects directly to the MS website to check file integrity and provide file descriptions?

    The market is wide open for such a tool – people would pay big bucks for such a headache reliever – does anyone out there have the programming savvy to write it?

  20. mrmnemo

    hehe,
    You know…I dual boot. Win and Linux ( openBSD until i started talking to myself over it). I can say this….linux is secure due to the file permission structure, the firewall can be set up to be a little more inclusive( i said little lol..) using the iptables or netfilter . However, when a linux box does get rooted IT GETS ROOTED. Also, windows is not so much a bad OS, as its just a overly simplfied OS. What I mean is MS tried to remove to much of the configuration from the user. I think what this did was cause MS coders to have to make a compromise. They either made it PnP all the way and didnt get negative press or not make it plug and play and change end user perception from ” The internet stopped” to ” hey maybe i should check and see if its plugged in”.
    As to linux being a “nich” OS…what rock on what planet have you been living on? I am about to take my LPIC not due to geekieness and self-righteous banter, but cause its real. Many local govs are switching to it. kids in many countries get laptops with it ( for free by the way), A few european auto makers are switching over right now,if you look on distrowatch.com at the hits perday on assorted ditros that should also tell you that its on the rise.

    However, Linux has been compromised by a worm recently. I dont have the link but you can google it. I personally have always thought that windows gets bugs cause zealots write them sometimes….just kidding. both linux and windows have advantages. a a properly secured linux box is SSECURE to the extent a pc connected to the net can be. a windows box properly set up is just getting lucky until the next round of flaws is found in PnP active x oxml or whatever. also consider the tools made available for “script kiddies”. many of the m turn the script kid into a zombie anyways.
    my foodstamps worth

  21. mrmnemo

    almost forgot. any install of linux can put denyhosts on it as well….i am sure windows has the same thing but you might have to buy the triple ultimate black box win 7 galactica version to get it.

    f*ing marketing and repackaging with MS. lol

Comments are closed.