Hackers update rootkit causing Windows blue screens
Resolve conflict with Microsoft update so users don't notice infection
Computerworld - Hackers behind the rootkit responsible for crippling Windows machines after users installed a Microsoft security patch have updated their malware so that it no longer crashes systems, researchers confirmed today.
The rootkit, known by a variety of names -- including TDSS, Tidserv and TDL3 -- was blamed by Microsoft last Friday for causing Windows XP PCs to crash after users applied the MS10-015 security update, one of 13 Microsoft issued a week ago.
Within hours of that update's release, users flooded Microsoft's support forum, reporting that their computers had been incapacitated with a Blue Screen of Death (BSOD). On Thursday, Microsoft stopped shipping the MS10-015 update, which users had linked to the BSODs, and said it was investigating.
Security researchers today said that the makers of TDSS have updated the rootkit so that it no longer conflicts with MS10-015. "The update day before yesterday prevents PCs from getting stuck in the BSOD loop," said Roel Schouwenberg, a researcher with Moscow-based antivirus vendor Kaspersky.
Marc Fossi, a manager of development with Symantec's security response team, said his researchers are also digging into the latest update of the rootkit. "We're still in the process [of investigating], but it does look like the rootkit update is trying to eliminate the conflict that causes the blue screens," Fossi said. The rootkit, which Symantec pegs as Tidserv, updates itself via a "phone home" feature, said Fossi.
The rootkit's authors have reason to hustle out an update, said Schouwenberg and Fossi, who explained that blue-screened PCs are as worthless to the hackers -- who want access to the machines -- as they are to their owners. Worse, the BSODs have revealed to many Windows users that their systems were infected.
"The rootkit exists to be on the system and evading detection," noted Fossi. "On the plus side for users, this incident has helped people discover that they had this running on their computers." And that can't please the hackers.
Although Microsoft said today it has not wrapped up its investigation -- and so has not definitely laid complete responsibility on the rootkit -- Schouwenberg and Fossi said most researchers are convinced that the vast bulk of the BSOD reports were due to the malware. "If a computer has this rootkit and the MS10-015 update is installed, it will blue screen," said Fossi.
Schouwenberg noted that rootkit-infected machines running any flavor of Windows will crash when the MS10-015 update is applied. "This affects every version of Windows," he said, including Vista and Windows 7. "The reason why it's been reported as a Windows XP problem is that the vast majority of infected machines are running XP," Schouwenberg said.
There have been scattered reports on Microsoft's support forum from Vista and Windows 7 users who now have crippled computers.
Symantec has posted a workaround for people who have a blue-screened PC that involves replacing the rootkit-infected driver with a clean copy, while Kaspersky has posted a free utility that seeks out and destroys the rootkit (download .zip file for Windows PCs).
Microsoft has not yet restored the MS10-015 patch to Windows Update, so users can safely download and install all remaining updates issued last week. "Automatic Updates for MS10-015 will remain disabled until our investigation into the restart issues is complete," Jerry Bryant, a senior manager with the Microsoft Security Response Center, said in an e-mail today.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts