New MS patch Causing BSoD due to rootkit

[jelson]

A critical system update released on Tuesday (a vulnerability effecting all OS versions except 64 bit Windows 7) was first reported to be causing BlueScreen of Death on some XP systems: Windows Updates Cause BSOD on XP Systems

However, developments throughout the day increasing indicate that the affected systems are ones suffering from a rootkit infection. The increasingly interesting replies to Brian Kreb's article are quite informative.

One commenter said:

Hitman Pro 3.5 is the only public AV that is able to detect and properly remove the rootkit, for free. .... Since November 11, Hitman Pro cleaned over 16.000 TDL3 infections. That should say something about the spreading of this rootkit."

Many of the replies are very informative.

Just a while ago, Krebs posted an update: Rootkit May Be Culprit in Recent Windows Crashes

Among the replies I found a link to a more technical article (Nov. '09) about this type of rootkit and how it can be removed: [TDL3 Rootkit] New Rootkit on the loose ...

Kaspersky fans will be happy to hear that one replier, joemessman, was able to detect and remove the rootkit with Kaspersky's TDSSKiller.

He also reported his testing showed that none of the following where able to detect it:

* F-Secure Blacklight
* RootkitRevealer
* Windows Malicious Software Removal Tool
* ProcessGuard
* Rootkit Hunter (Linux and BSD)

And I found it highly interesting that one replier reported that this rootkit is VM-aware and won't install itself on a virtual machine.

[safeguy]

Interesting news...although I'm not going to pursuit this matter more than what I've read here...

[leofelix]

And Microsoft Fix it team made a fix to address this issue available here

http://support.microsoft.com/kb/979682

Now I wonder why only some XP users got this issue, and no Windows Vista/7 users complained,
As far as I know Vista and Windows 7 are not invulnerable to rootkits

[safeguy]

@leofelix

The only reason I can think of right now is that Vista and Win7 is supposedly a more 'secure' OS than XP is in its 'virgin state'...and furthermore Vista and Win7 is 'improved' and users tend to face less BSOD using these OS as compared to XP (at least that's how MS tells the story)....

[noaccount]

* Windows Malicious Software Removal Tool

if MRT detects it, anyone that installed that patch should have detected it... dont think there are a lot of users affected...

[leofelix]

@leofelix

(at least that's how MS tells the story)....

LOL

Well even if I like Windows 7 I got 4 BSODs since I have installed Windows 7 ultimate 32 bit less than 1 month ago.


Some examples related to Windows 7 BSOD which some users have experienced:

http://arstechnica.com/microsoft/news/2010/02/windows-7-stability-update-breaks-stability-for-some-users.ars


http://support.microsoft.com/kb/979444


http://support.microsoft.com/kb/976972

if MRT detects it, anyone that installed that patch should have detected it... dont think there are a lot of users affected...

ehm no, unfortunately MRT cannot detect the most of TDSS rootkits

He also reported his testing showed that none of the following where able to detect it:

* F-Secure Blacklight
* RootkitRevealer
* Windows Malicious Software Removal Tool
* ProcessGuard
* Rootkit Hunter (Linux and BSD)

[noaccount]

eek glad im not using XP anymore, misread that - are you suggesting this was targeted?

[leofelix]

eek glad im not using XP anymore, misread that - are you suggesting this was targeted?

I do not know.
I only think that cannot be accidental that only (some) machines running XP have been affected when that patch was applied.

[thathagat]

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch
read here........http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html

[leofelix]

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch
read here........http://www.prevx.com/blog/143/BSOD-after-MS-TDL-authors-apologize.html

L O L

More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.