February 12, 2010

There are indications that the system crashes and the dreaded blue screen of death (BSoD) that many Microsoft Windows users reported suffering after installing this week’s batch of security updates may be caused at least in part by malware infestations on the affected machines.

Patrick W. Barnes, a systems administrator at Cat-man-du, a technology services firm in Amarillo, Texas, said at least three different customers came into his shop with the same blue screen of death after installing Tuesday’s patches on their systems. Barnes said that on closer inspection, he found that each had been previously infected with a rootkit, a set of tools sometimes installed by malware that are designed to hide the presence of the infection on the host system.

Barnes said he traced the problem on each machine back to “atapi.sys” — a Windows storage driver(which lives in %System32\drivers\). When he sent the atapi.sys files that were on the customer machines up for a scan at Virustotal.com, the results suggested malware had injected itself into the system file.

That Virustotal scan pointed at a stealthy rootkit that goes by several different names, including “TDSS” and “Pakes”. For its part, Microsoft’s Security Essentials anti-virus tool detects the invader as Win32/Alureon.A.

Interestingly, Alureon is among the Top 10 threats that Microsoft’s various security technologies — including its “malicious software removal tool” — regularly detect on Windows systems. According Microsoft’s own Security Intelligence Report, Microsoft’s security products removed nearly 2 million instances of Alureon from Windows systems in the first half of 2009 alone, up from a half million in the latter half of 2008.

Barnes said “atapi.sys” makes an attractive target for a rootkit because it is a core Windows component that gets started up early as Windows is first loading. “It’s started up every early in the boot process, and because of that it makes these kinds of threats sometimes very hard to detect and remove,” Barnes said in an telephone interview with krebsonsecurity.com.

Replacing the compromised atapi.sys file with a clean, known-good version will get affected systems booting normally again, Barnes said. He has instructions for doing just that at his blog. You’ll need to have a copy of the Windows installation disc handy.

I’d urge anyone who has already recovered from a BSoD or infinite reboot loop after installing this week’s patches to scan their systems with several different security tools, as the rootkit buried in atapi.sys is likely just there to hide the presence of a larger, more systemic malware infection. Restoring from a known-good backup would be ideal, however most home users sadly do not have backup images to rely upon.

ESET, F-Secure, BitDefender, and several other AV vendors offer free online scanners that can remove malware. In addition, F-Secure offers a free Blacklight tool that does a great job scanning for and removing rootkits. In addition, McAfee‘s free Stinger tool can scan and remove many threats.

56 thoughts on “Rootkit May Be Culprit in Recent Windows Crashes

  1. Pingback: pks4» Blog Archive » WinXP reboots caused when patch meets malware

  2. Pingback: Microsoft Resorts to Blame Games (Against Exploiters of Microsoft’s Own Flaws and Against Google) | Boycott Novell

  3. Pingback: Turkey should pause before a mirror

  4. Pauper

    Say what you will about the different OSs out there, but rootkits are here to stay! Antivirus can’t detect them since they boot before the OS does, so the solution lies in a boot CD that can scan for them on a remote (same machine) drive.

    Since windows machines seem to be the popular target, and without going into discussion as to why, having a database of the system32 files popularly used, as well as CRCs and MD5s of the files would help, especially when comparing live files with their cached versions.

    Possibly a rip on the sysinternals system which connects directly to the MS website to check file integrity and provide file descriptions?

    The market is wide open for such a tool – people would pay big bucks for such a headache reliever – does anyone out there have the programming savvy to write it?

  5. mrmnemo

    You know…I dual boot. Win and Linux ( openBSD until i started talking to myself over it). I can say this….linux is secure due to the file permission structure, the firewall can be set up to be a little more inclusive( i said little lol..) using the iptables or netfilter . However, when a linux box does get rooted IT GETS ROOTED. Also, windows is not so much a bad OS, as its just a overly simplfied OS. What I mean is MS tried to remove to much of the configuration from the user. I think what this did was cause MS coders to have to make a compromise. They either made it PnP all the way and didnt get negative press or not make it plug and play and change end user perception from ” The internet stopped” to ” hey maybe i should check and see if its plugged in”.
    As to linux being a “nich” OS…what rock on what planet have you been living on? I am about to take my LPIC not due to geekieness and self-righteous banter, but cause its real. Many local govs are switching to it. kids in many countries get laptops with it ( for free by the way), A few european auto makers are switching over right now,if you look on distrowatch.com at the hits perday on assorted ditros that should also tell you that its on the rise.

    However, Linux has been compromised by a worm recently. I dont have the link but you can google it. I personally have always thought that windows gets bugs cause zealots write them sometimes….just kidding. both linux and windows have advantages. a a properly secured linux box is SSECURE to the extent a pc connected to the net can be. a windows box properly set up is just getting lucky until the next round of flaws is found in PnP active x oxml or whatever. also consider the tools made available for “script kiddies”. many of the m turn the script kid into a zombie anyways.
    my foodstamps worth

  6. mrmnemo

    almost forgot. any install of linux can put denyhosts on it as well….i am sure windows has the same thing but you might have to buy the triple ultimate black box win 7 galactica version to get it.

    f*ing marketing and repackaging with MS. lol

Comments are closed.