Hackers update rootkit causing Windows blue screens
Resolve conflict with Microsoft update so users don't notice infection
Computerworld - Hackers behind the rootkit responsible for crippling Windows machines after users installed a Microsoft security patch have updated their malware so that it no longer crashes systems, researchers confirmed today.
The rootkit, known by a variety of names -- including TDSS, Tidserv and TDL3 -- was blamed by Microsoft last Friday for causing Windows XP PCs to crash after users applied the MS10-015 security update, one of 13 Microsoft issued a week ago.
Within hours of that update's release, users flooded Microsoft's support forum, reporting that their computers had been incapacitated with a Blue Screen of Death (BSOD). On Thursday, Microsoft stopped shipping the MS10-015 update, which users had linked to the BSODs, and said it was investigating.
Security researchers today said that the makers of TDSS have updated the rootkit so that it no longer conflicts with MS10-015. "The update day before yesterday prevents PCs from getting stuck in the BSOD loop," said Roel Schouwenberg, a researcher with Moscow-based antivirus vendor Kaspersky.
Marc Fossi, a manager of development with Symantec's security response team, said his researchers are also digging into the latest update of the rootkit. "We're still in the process [of investigating], but it does look like the rootkit update is trying to eliminate the conflict that causes the blue screens," Fossi said. The rootkit, which Symantec pegs as Tidserv, updates itself via a "phone home" feature, said Fossi.
The rootkit's authors have reason to hustle out an update, said Schouwenberg and Fossi, who explained that blue-screened PCs are as worthless to the hackers -- who want access to the machines -- as they are to their owners. Worse, the BSODs have revealed to many Windows users that their systems were infected.
"The rootkit exists to be on the system and evading detection," noted Fossi. "On the plus side for users, this incident has helped people discover that they had this running on their computers." And that can't please the hackers.
Although Microsoft said today it has not wrapped up its investigation -- and so has not definitely laid complete responsibility on the rootkit -- Schouwenberg and Fossi said most researchers are convinced that the vast bulk of the BSOD reports were due to the malware. "If a computer has this rootkit and the MS10-015 update is installed, it will blue screen," said Fossi.
Schouwenberg noted that rootkit-infected machines running any flavor of Windows will crash when the MS10-015 update is applied. "This affects every version of Windows," he said, including Vista and Windows 7. "The reason why it's been reported as a Windows XP problem is that the vast majority of infected machines are running XP," Schouwenberg said.
There have been scattered reports on Microsoft's support forum from Vista and Windows 7 users who now have crippled computers.
Symantec has posted a workaround for people who have a blue-screened PC that involves replacing the rootkit-infected driver with a clean copy, while Kaspersky has posted a free utility that seeks out and destroys the rootkit (download .zip file for Windows PCs).
Microsoft has not yet restored the MS10-015 patch to Windows Update, so users can safely download and install all remaining updates issued last week. "Automatic Updates for MS10-015 will remain disabled until our investigation into the restart issues is complete," Jerry Bryant, a senior manager with the Microsoft Security Response Center, said in an e-mail today.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!