Hackers update rootkit causing Windows blue screens
Resolve conflict with Microsoft update so users don't notice infection
Computerworld - Hackers behind the rootkit responsible for crippling Windows machines after users installed a Microsoft security patch have updated their malware so that it no longer crashes systems, researchers confirmed today.
The rootkit, known by a variety of names -- including TDSS, Tidserv and TDL3 -- was blamed by Microsoft last Friday for causing Windows XP PCs to crash after users applied the MS10-015 security update, one of 13 Microsoft issued a week ago.
Within hours of that update's release, users flooded Microsoft's support forum, reporting that their computers had been incapacitated with a Blue Screen of Death (BSOD). On Thursday, Microsoft stopped shipping the MS10-015 update, which users had linked to the BSODs, and said it was investigating.
Security researchers today said that the makers of TDSS have updated the rootkit so that it no longer conflicts with MS10-015. "The update day before yesterday prevents PCs from getting stuck in the BSOD loop," said Roel Schouwenberg, a researcher with Moscow-based antivirus vendor Kaspersky.
Marc Fossi, a manager of development with Symantec's security response team, said his researchers are also digging into the latest update of the rootkit. "We're still in the process [of investigating], but it does look like the rootkit update is trying to eliminate the conflict that causes the blue screens," Fossi said. The rootkit, which Symantec pegs as Tidserv, updates itself via a "phone home" feature, said Fossi.
The rootkit's authors have reason to hustle out an update, said Schouwenberg and Fossi, who explained that blue-screened PCs are as worthless to the hackers -- who want access to the machines -- as they are to their owners. Worse, the BSODs have revealed to many Windows users that their systems were infected.
"The rootkit exists to be on the system and evading detection," noted Fossi. "On the plus side for users, this incident has helped people discover that they had this running on their computers." And that can't please the hackers.
Although Microsoft said today it has not wrapped up its investigation -- and so has not definitely laid complete responsibility on the rootkit -- Schouwenberg and Fossi said most researchers are convinced that the vast bulk of the BSOD reports were due to the malware. "If a computer has this rootkit and the MS10-015 update is installed, it will blue screen," said Fossi.
Schouwenberg noted that rootkit-infected machines running any flavor of Windows will crash when the MS10-015 update is applied. "This affects every version of Windows," he said, including Vista and Windows 7. "The reason why it's been reported as a Windows XP problem is that the vast majority of infected machines are running XP," Schouwenberg said.
There have been scattered reports on Microsoft's support forum from Vista and Windows 7 users who now have crippled computers.
Symantec has posted a workaround for people who have a blue-screened PC that involves replacing the rootkit-infected driver with a clean copy, while Kaspersky has posted a free utility that seeks out and destroys the rootkit (download .zip file for Windows PCs).
Microsoft has not yet restored the MS10-015 patch to Windows Update, so users can safely download and install all remaining updates issued last week. "Automatic Updates for MS10-015 will remain disabled until our investigation into the restart issues is complete," Jerry Bryant, a senior manager with the Microsoft Security Response Center, said in an e-mail today.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- System and Data Protection, Recovery and Availability This white paper describes how ARCserve works and the benefits it can provide IT environments of all sizes.
- Simplifying Data Protection, Reducing Risk of Data Loss and System Downtime This white paper outlines what IT organizations should look for in a data protection solution, including simplicity and ease of deployment, comprehensive protection,...
- Four Myths of High-Productivity App Dev Debunked Debunk the main myths surrounding high-productivity application development and how both platforms have overcome them.
On-Demand Webcast: 7 Reasons to Choose VoIP
Thinking about a new phone system for your business?
Be sure to watch this informative webcast. Steve Strauss, small business columnist for USA...
All Malware and Vulnerabilities White Papers |