Hackers update rootkit causing Windows blue screens
Resolve conflict with Microsoft update so users don't notice infection
Computerworld - Hackers behind the rootkit responsible for crippling Windows machines after users installed a Microsoft security patch have updated their malware so that it no longer crashes systems, researchers confirmed today.
The rootkit, known by a variety of names -- including TDSS, Tidserv and TDL3 -- was blamed by Microsoft last Friday for causing Windows XP PCs to crash after users applied the MS10-015 security update, one of 13 Microsoft issued a week ago.
Within hours of that update's release, users flooded Microsoft's support forum, reporting that their computers had been incapacitated with a Blue Screen of Death (BSOD). On Thursday, Microsoft stopped shipping the MS10-015 update, which users had linked to the BSODs, and said it was investigating.
Security researchers today said that the makers of TDSS have updated the rootkit so that it no longer conflicts with MS10-015. "The update day before yesterday prevents PCs from getting stuck in the BSOD loop," said Roel Schouwenberg, a researcher with Moscow-based antivirus vendor Kaspersky.
Marc Fossi, a manager of development with Symantec's security response team, said his researchers are also digging into the latest update of the rootkit. "We're still in the process [of investigating], but it does look like the rootkit update is trying to eliminate the conflict that causes the blue screens," Fossi said. The rootkit, which Symantec pegs as Tidserv, updates itself via a "phone home" feature, said Fossi.
The rootkit's authors have reason to hustle out an update, said Schouwenberg and Fossi, who explained that blue-screened PCs are as worthless to the hackers -- who want access to the machines -- as they are to their owners. Worse, the BSODs have revealed to many Windows users that their systems were infected.
"The rootkit exists to be on the system and evading detection," noted Fossi. "On the plus side for users, this incident has helped people discover that they had this running on their computers." And that can't please the hackers.
Although Microsoft said today it has not wrapped up its investigation -- and so has not definitely laid complete responsibility on the rootkit -- Schouwenberg and Fossi said most researchers are convinced that the vast bulk of the BSOD reports were due to the malware. "If a computer has this rootkit and the MS10-015 update is installed, it will blue screen," said Fossi.
Schouwenberg noted that rootkit-infected machines running any flavor of Windows will crash when the MS10-015 update is applied. "This affects every version of Windows," he said, including Vista and Windows 7. "The reason why it's been reported as a Windows XP problem is that the vast majority of infected machines are running XP," Schouwenberg said.
There have been scattered reports on Microsoft's support forum from Vista and Windows 7 users who now have crippled computers.
Symantec has posted a workaround for people who have a blue-screened PC that involves replacing the rootkit-infected driver with a clean copy, while Kaspersky has posted a free utility that seeks out and destroys the rootkit (download .zip file for Windows PCs).
Microsoft has not yet restored the MS10-015 patch to Windows Update, so users can safely download and install all remaining updates issued last week. "Automatic Updates for MS10-015 will remain disabled until our investigation into the restart issues is complete," Jerry Bryant, a senior manager with the Microsoft Security Response Center, said in an e-mail today.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!