Posted on 02/15/2010 6:13:53 AM PST by Gomez
The presence of a hard-to-detect rootkit may have caused Windows XP machines to freeze up after applying a patch from Microsoft last week, according to preliminary analysis of the problem from Microsoft's security team.
Microsoft's users forums filled up with reports of Windows XP users experiencing the dreaded Blue Screen of Death (BSOD) after applying the 13 patches released by Redmond last week. The problem was later linked to one specific update - MS10-015 - a patch for an "important" kernel flaw - and it was discovered that uninstalling this package unfroze affected machines.
The Blue Screen problem affected a minority of machines but was far from isolated, with many reported cases. Subsequent security sleuthing by sysadmin Patrick Barnes revealed that Windows XP machines that hit a brick wall after applying the update may have been infected with the TDSS rootkit.
Microsoft's security team has since confirmed that the malware may explain the Blue Screen issue in many cases, without ruling out other possibilities.
In our continuing investigation into the restart issues related to MS10-015 that a limited number of customers are experiencing, we have determined that malware on the system can cause the behavior. We are not yet ruling out other potential causes at this time and are still investigating.
Microsoft is asking affected users to send memory dumps in order to aid its ongoing investigation something,. But it acknowledges this is tricky when users who hit the problem are left with unbootable machines.
Redmond's security team suggested on Thursday that users may want to hold off on the potentially troublesome MS010-015 update and apply a workaround for that particular problem instead. Sysadmins following this advice are strongly advised to apply to other 12 patches issued by Microsoft last Tuesday.
ping
One box in my office got hit with this last week. The only option was booting to CD and walking through an automatic repair.
My computer at work had the Blue Screen of Death last week, shortly after applying an update! I had to have a new HD installed. Luckily we do automatic nightly updates.
Holy cow! I had an xp machine go down hard on Friday and I’m running a surface scan on it now (figured it was hardware). Also experienced a Windows 2003 crash this weekend (running chkdsk). I figured it was a climate control issue. Still might be. But this really makes me think....I may have screwed up the computers even worse in attempting to repair them.
I use my own Windows Update Server and approved a slew of updates last Weds.
Just got the update for Microsoft ... I cancelled it, not putting it in ... I saw RootKit in there. So what’s the fix? Are they going to send out a new update and when will we know it is safe to load?
Yikes! Looks like affected computers my have been infected prior to the update. KB977165 also looks like it is a pretty important update that protects from a serious rootkit MBR invader. Oh, man. This is nasty.
Bad part about it is, I’ve just updated one of my computers for the first time in months. And sure enough, I got the update in question, KB977165. But I seem to be booting fine now. It should be alright, but I hope I don’t end up with the BSOD. But thanks this FR thread, at least I’ll know what to do.
Thanks for the ping.
Is there a simple way to check for a rootkit before you install this update/patch?
I cancelled it, not putting it in .
My PC was doing the update last Friday (auto update MS) and lucky me the install did not complete.
Will change setting to, update on my command.
ping
“and it was discovered that uninstalling this package unfroze affected machines”
Editors’ day off at El Reg?
I don't know what happened. For some reason it didn't the thread didn't degenerate into a flame war.
ping
I wonder if the app ‘windows security essentials’ has been able to block the rootkit - I took free avg off all my pcs and put on security essentials - got the patches on xp/vista machines okay -
I DO know that when I would run across a trojan or a bad app in the field, this ‘security essentials’ would kill it dead...so I am hoping it is going to stay steady..
ps: it’s free
http://www.microsoft.com/Security_Essentials/
Do you run any security programs on your computer?
Antivirus and firewall.
Then I would download windows defender, update it, and then run a full scan, also in settings, set it to real time protection which means it is always on in the background.
WindowsDefender will be the third leg of your protection, it will give you anti spyware/antimalware protection to supplement your antivirus and your firewall protection.
Windowsdefender is free and painless, set it to automatic updates, automatic scans, and full time protection.
If you like scanning and really scouring your system then ask and I will tell you two more free programs that you can download and operate manually.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.