Sign in with
Sign up | Sign in

Rootkit Confirmed to Cause Win XP Update BSoDs

By - Source: Tom's Hardware US | B 18 comments

Windows XP Update foiled by malware!

Earlier this month, Microsoft issued an update for Windows XP machines that suddenly triggered occurrences of Blue Screen of Death and reboots. Microsoft went digging and found that the problem wasn't with the patch, but rather malware.

Windows XP users who were infected with the Alureon rootkit would experience the crashes following the Windows Update procedure.

Microsoft's Mike Reavey writes on its TechNet blog:

We wanted to provide you with an update on our ongoing investigation into the “blue screen” issues affecting a limited number of customers who installed MS10-015.  We have been working around the clock with our customers, partners and several teams at Microsoft to determine the cause of these issues.  Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit.  We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software.  The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state.  In every investigated incident, we have not found quality issues with security update MS10-015.  Our guidance remains the same: customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.

Check out Sophos Anti-Virus for removal of the rootkit.

Display 18 Comments.
This thread is closed for comments
Top Comments
  • 22 Hide
    cheepstuff , February 18, 2010 10:28 PM
    Windows is almost never the problem. usually it is bad 3rd party stuff, viruses or, on occasion, on a failing piece of hardware.
  • 16 Hide
    foody , February 18, 2010 10:27 PM
    Gotta love Windows 7.
  • 14 Hide
    adribhel , February 19, 2010 8:58 AM
    @bluekoala:

    You will notice that every sane person with a minor understanding of how a fraud works never have these problems. Whatever Microsoft does, it won't help when idiots keep clicking everything they see on the web.

    Keep Windows updated, use free anti-malware from Microsoft and don't be stupid = never get a virus.
Other Comments
  • 12 Hide
    Titanius , February 18, 2010 10:15 PM
    I knew that the article about how the latest updates from Microsoft made Windows XP have BSODs was bogus when I updated all the XP machines I support with the update and no BSODs showed up anywhere. Ah, a rootkit, comes to show how many people don't have "real" protection.
  • 16 Hide
    foody , February 18, 2010 10:27 PM
    Gotta love Windows 7.
  • 22 Hide
    cheepstuff , February 18, 2010 10:28 PM
    Windows is almost never the problem. usually it is bad 3rd party stuff, viruses or, on occasion, on a failing piece of hardware.
  • 6 Hide
    amdchuck , February 18, 2010 10:40 PM
    yup, I am still on a updated XP machine both at home and at work....never had a problem....well, not never but you know, in reference to this latest BSOD ballyhoo
  • 6 Hide
    Abrahm , February 18, 2010 11:10 PM
    Don't worry guys, the rootkit developers were kind enough to issue a patch to resolve this BSOD issue that their software was causing!
  • 6 Hide
    jhansonxi , February 19, 2010 12:10 AM
    The developers should made the patch compatible with the rootkit. Malware is a common enough application on Windows.
  • 2 Hide
    JonathanDeane , February 19, 2010 1:00 AM
    7 may not be immune to these things but it is better equipped to resist them.

    This is just another example of the new generation of malware or spyware... Its so sneaky even using the machine presents no obvious symptoms.
  • 6 Hide
    m-manla , February 19, 2010 8:11 AM
    I bet Microsoft is sick of pulling resources to find out the problem wasn't created by them.
  • 14 Hide
    adribhel , February 19, 2010 8:58 AM
    @bluekoala:

    You will notice that every sane person with a minor understanding of how a fraud works never have these problems. Whatever Microsoft does, it won't help when idiots keep clicking everything they see on the web.

    Keep Windows updated, use free anti-malware from Microsoft and don't be stupid = never get a virus.
  • -4 Hide
    Regulas , February 19, 2010 12:26 PM
    When you tie your web browser with direct access to the kernel (Win 7 is affected) you have a serious security flaw built right into the OS. All MS OS's are Swiss Cheese designs with built in back doors for the FEDS, they are only good for gaming and that may change too as Linux grows.
  • 3 Hide
    drksilenc , February 19, 2010 12:54 PM
    bluekoala u do realize that all os's from this era had these problems and this is one reason that the uac of vista and 7 are a good thing for the casual user that doesnt no a good link from a virus... thats like saying its
  • 3 Hide
    GenKhan2 , February 19, 2010 1:57 PM
    Not surprising. Windows problems are almost always caused by user error like being stupid enough to get a rootkit installed on your machine. Windows would be perfect if Microsoft could release patches for people.
  • 1 Hide
    rhelme , February 19, 2010 5:21 PM
    NegativeX,

    The problem is your anti-rootkit software is probably not finding the issue...

    replace the recommended files from the Windows XP cd and I bet your problem is solved... not all anti-rootkit software works and finds it... if this patch is causing a BSOD you are rootkitted, and your company should look for someone new to admin its machines..
  • 0 Hide
    JonathanDeane , February 19, 2010 8:04 PM
    rhelmeNegativeX,The problem is your anti-rootkit software is probably not finding the issue...replace the recommended files from the Windows XP cd and I bet your problem is solved... not all anti-rootkit software works and finds it... if this patch is causing a BSOD you are rootkitted, and your company should look for someone new to admin its machines..


    Probably true this rootkit is only discoverable by a bootable solution. This means Linux or some other solution. I believe the software in question resides in the OS files used to access the hard drive so its very difficult to load something to scan the hard drive and this malware has the ability to hide itself from the scan. Hmmm at that point it could just hide 99% of itself in the "empty" portion of the hard drive with only itself knowing how to read that area. Then all you need is a small stub loader in the SATA driver.
  • 0 Hide
    xpslover007 , February 20, 2010 10:05 PM
    It was probably microsoft who designed an update to react to the malware, they're desperately trying to get people to stop using xp already and pay up for the new OS
  • 0 Hide
    The_Prophecy , February 21, 2010 2:03 AM
    Quote:
    Not surprising. Windows problems are almost always caused by user error like being stupid enough to get a rootkit installed on your machine. Windows would be perfect if Microsoft could release patches for people.


    +1. Thanks GenKhan! The last sentence made my day!