ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

Hackers "fix" XP BSoD rootkit

By | February 16, 2010, 2:52pm PST

Summary: An update released by Microsoft this month (MS10-015) broke XP machines that were infected with the TDL3 rootkit (also known as TDSS and Tidserv and many other names).

An update released by Microsoft this month (MS10-015) broke XP machines that were infected with the TDL3 rootkit (also known as TDSS and Tidserv and many other names - more info here).

Well, a rootkit that causes crashes is bad for business, so the hackers had an update out in the matter of hours.

On last Tuesday Microsoft released a number of Windows updates, some of them critical because they fixed a 17 years old bug. After some users updated their Windows operating systems, they got a scaring and really annoying blue screen of death.

Most of those users were angry with Microsoft, but the problem this time is not related to Microsoft. Indeed a number of the users affected by this BSOD was infected by TDL3/TDSS rootkit.

More exactly, TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

It’s one big cat and mouse game between the good guys and the bad guys.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

BSOD, Microsoft Windows XP, Hacker, Rootkits, Security, Spyware, Adware & Malware, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
327
Comments
Add Your Opinion

Join the conversation!

Just In

What else is it?
AzuMao 3rd Mar 2010
Routers and modems are also computers and also
need operating systems, don't they?

Are you referring to the cables/fibers connecting
them all? But then why didn't you use those in
your analogy to asphalt?
View in thread
0 Votes
+ -
What exactly does this rootkit do?
Lerianis10 16th Feb 2010
I'd really like to know. Anyway, this is just another reason to GET OFF WINDOWS XP and move to Vista or 7..... these issues disappear on a SECURELY WRITTEN OS, which Windows 7 and Vista are.
0 Votes
+ -
Contributr
More info on rootkit
Adrian Kingsley-Hughes 16th Feb 2010
http://forum.sysinternals.com/forum_posts.asp?TID=21266
0 Votes
+ -
I don't..
AzuMao 17th Feb 2010
..see "give people BSODs" in the feature list, so
how can MS blame them on anyone but themselves? If
they're going to wait until something is actively
being used to take over systems before fixing it,
they need to make sure their fix either removes
the crap or at least doesn't bring the whole
computer down with it. Is that really too much to
ask from a company that grosses billions a year?
0 Votes
+ -
Are you really that stupid?
BrewmanNH 17th Feb 2010
The BSOD is probably caused by Microsoft fixing the bug that the rootkit authors used to install and infect the computers. Fix the bug, the rootkit won't work any more, the computer has trouble booting because the rootkit won't work. See the chain there?

It's NOT their responsibility to fix a problem they didn't cause before patching a bug, it's the user's responsibility to not get infected in the first place. Don't get infected and it won't BSOD with the bug fix.
0 Votes
+ -
Are YOU really that clueless?
mdsock@... 17th Feb 2010
First, it seems that the rootkit authors fixed the problem to keep the systems running, for their own reasons. They don't want your system to break, because it reveals their presence. If you'd paid attention to the article (even the title, no less!), you'd get that.

And while I agree that it isn't automatically Microsoft's responsibility to fix a problem they didn't create, it's may be one they did create. Especially if it's the 17 year old bug mentioned that caused this.

It isn't so easy to avoid rootkits as you imply. If you think it is, you need to educate yourself about them before you become another victim (if you aren't already).

Rootkits, by their very nature, are difficult to detect. Sure, this one caused the computers to BSOD, but the whole point of them is to sit in the background and not be noticed. Even with a combination of the best-of-breed security software and good practices, you can still get hit.

So stop looking at it as an either-or situation. There's more than enough blame to go around.
0 Votes
+ -
It's very easy.
AzuMao 17th Feb 2010
Simply use an OS where security is taken seriously, and the chances are instantly reduced by several orders of magnitude, if not eliminated entirely.
0 Votes
+ -
Yes.....
Lester Young 17th Feb 2010
...such as Vista/7.
  • Flagged
0 Votes
+ -
If by "such as" you mean "as opposed to".
AzuMao 17th Feb 2010
0 Votes
+ -
No, I mean such as.
Lester Young 17th Feb 2010
http://talkback.zdnet.com/5208-12554-0.html?forumID=1&threadID=75321&messageID=1464942&tag=content;col1

Read 'em and weep.
  • Flagged
0 Votes
+ -
@Lester Young
AzuMao 18th Feb 2010
I read 'em. Did you? They conclude that Linux is more secure than Windows.
And that OSX leaves out parts of ASLR that programs can do themselves
without help from the OS, such as moving themselves to another address at
startup.


What was your point again?
0 Votes
+ -
Read what, and weep?
Wintel_BSOD 18th Feb 2010
Windows Vista/7 is more than caught up with Linux/Mac security.

The fact that Linux wasn't even tested at CanSecWest is your first EPIC FAIL right there...

Your link http://www.scribd.com/doc/13450744/Dino-Dai-Zovi-Mac-OS-Xploitation looks like a link to a Russian hacker's website. Not a reputable place and I'd prolly run a malware scan after visiting it if I were running Winbloze.

~

I seriously doubt we're all gonna run out and by a copy of Vista bloatware at this stage of the game. You're too little, too late, fanbui.
  • Flagged
0 Votes
+ -
@Wintel_BSOD That's mean!
AzuMao 18th Feb 2010
To the Russians.

They helped so much with killing the Nazis.

Why hate on Russians??
  • Flagged
0 Votes
+ -
Not as clueless as you
BrewmanNH 17th Feb 2010
I got it that they fixed it to keep the rootkit working, how did what I wrote make you think I didn't understand that?

It's very easy to avoid rootkits. Don't go to sketchy sites, don't open email attachments you don't know about, avoid pirated software. Use a good AV software, not Norton's or McAfee. Seems simple to me.
0 Votes
+ -
Did you read what I wrote before replying to it?
AzuMao 17th Feb 2010
I'm going to give you the benefit of the doubt instead of assuming that you're playing stupid to troll me, and humor you with a response.

Since Microsoft refused to fix the problem before it was taken advantage of, a bunch of computers got taken over by this rootkit, and Microsoft should have taken this situation
into consideration, by.. here it comes.. doing what I said they should have done, in the post you just replied to; "make sure their fix either removes
the crap or at least doesn't bring the whole
computer down with it"!
0 Votes
+ -
Did Microsoft Know about the RootKit?
darkonc Updated - 17th Feb 2010
Micrsoft often leaves off patching securit problems until a 'zero-day' exploit is out, so it's entirely possible that the patch was in response to these root kits.

If Microsoft knew about these root kits when they came out with the patch, then they should have tested the result and designed things so that the patch -- even with the root kits installed -- wouldn't blue-screen your system.

Either that, or they should have issued some sort of caution about a problem that they were aware of. So that customers wouldn't get blind-sided.

It's easy to say that customers shouldn't get root-kits installed on their machines.
It's just as easy to say that MS should have solved the poblem before it was exploited.

In this case, however, people are just saying that they would like to have been informed about a KNOWN PROBLEM. I don't see that as being unreasonable given that Microsoft would have been the only people with knowledge of the problem at that point of time.
0 Votes
+ -
I don't...
Yugatha 17th Feb 2010
... see how its is Microsoft's prpblem to be an antivirus author when there are many other Anti-virus programs out there, eg AVG, Norton, Avast... the list goes on.

In this instance, it is the user's fault for not properly securing their pc.
0 Votes
+ -
I don't...
AzuMao 17th Feb 2010
...see how it is the user's fault, when Microsoft left the hole in for 17 years (during which time there was no patch available for the user to apply). I do, however, see
how it is Microsoft's fault for finally giving a patch after the vulnerability has been used to infect people's computers, that BSODs them! Do you know what a rootkit is? It
operated within the kernel itself, meaning it can fully control everything, including AVs. Most rootkits nowadays either disable the most common AVs entirely or at least render
themselves invisible to them.

It is Microsoft's responsibility to make sure that their patches do not render their customers' systems inoperable. If that means including something in the patch to remove or at
least work around the infection that happened as a result of them taking so long to provide a patch, tough shit. Millions/billions of people are paying these clowns
hundreds of dollars each, the least they can do is not hose their systems!
0 Votes
+ -
The patch.....
Lester Young 17th Feb 2010
....was not for the vulnerability exploited by the rootkit. The patch was for a privilege escalation vulnerability from the DOS emulator, which required physical access to the machine. Physical access vulnerabilities are pretty far down the list as far as vulnerabilities go, since if an attacker has physical/logon access there are much greater security issues. But the upshot is, all of your hoo-hah about Microsoft needing to correct the rootkit before patching an unrelated vulnerability is just so much nonsense.
0 Votes
+ -
If that was the case..
AzuMao 17th Feb 2010
..there wouldn't be BSODs.


There would be rootkits unable to get the necessary privileges to install themselves (and thus unable to cause a BSOD) after the patch was applied, and there would be rootkits
already embedded in the kernel and thus no longer needing to use an exploit to escalate and thus unaffected by the patch and thus wouldn't suddenly stop BSODing.


So that's obviously not the case. Try again.
0 Votes
+ -
Wrong again.
Lester Young 17th Feb 2010
The patched vulnerability was from the DOS mode. The rootkit had nothing to do with DOS mode, it affected ATAPI.SYS. If you can't see the difference, you are hopeless.
0 Votes
+ -
Lester, did you reply to the wrong post?
AzuMao 18th Feb 2010
I'm not wrong. I didn't say that the patch should have caused BSODs.


Rather, what I am saying, is that there was no excuse for it to, other than Microsoft being extremely incompetent.

Please make sure you're replying to the right post next time.
0 Votes
+ -
@AzuMao
Cardhu Updated - 20th Feb 2010
What is your experience with security software development and testing for the Windows market?
0 Votes
+ -
That relying on Microsoft to keep their own products working is a bad idea.
AzuMao 20th Feb 2010
  • Flagged
0 Votes
+ -
@AzuMao
Cardhu 20th Feb 2010
That does not answer my question.

Do you have any professional background with experience in developing and testing software, particularly security software for the Windows microcomputer market?
0 Votes
+ -
I don't make the patches deployed by Windows Update if that's what you mean
AzuMao Updated - 20th Feb 2010
0 Votes
+ -
You're Dodging The Question
Cardhu 21st Feb 2010
No, that is not what I mean.

At this point, I am looking for a straightfoward answer to whether or not you have any software engineering experience in development or testing at all to have even a basic familiarity with the field.

So for the fourth time, do you have any software engineering background with experience in development or testing?
0 Votes
+ -
On the contrary..
AzuMao 21st Feb 2010
..it seems your trying to change the subject from
discussion of Microsoft to my own personal
attributes. Why? I already told you, I haven't
been in the position of making the patches for
Windows deployed by Windows Update, so obviously I
don't speak for Microsoft. I'm not sure what more
you want to know about me, nor why.
0 Votes
+ -
I Don't Think You Have Any Background
Cardhu 21st Feb 2010
to understand the engineering issues of which you accuse Microsoft. Your comments reflect no understanding of even basic principles, much less actual experience.

I am a systems and software engineering professional. I've worked on both sides in safety- and mission-critical hard-real-time systems since 1984. I've been a lead software engineer, project engineer, lead test engineer, and lead architect.

I am one of the harshest critics of Microsoft in the ZDNet forums. But my criticisms are backed by references and experience. My criticisms of Microsoft's business and engineering practices have stood in the ZDNet forums since October 2006.

But in this one case, your characterizations of Microsoft as "incompetent" are simply wrong.

You don't know what you're talking about.
0 Votes
+ -
I don't really care about your background, nor understand why you..
AzuMao Updated - 21st Feb 2010
..want to know mine. What I do know is this;


Microsoft left a door open for 17 years that allowed rootkits to get in.
But when Microsoft finally closed the door, they forgot to first remove the nasties they let in.

This would be like leaving the door to a vault or house open for a few years, and upon realizing this simply closing it, without first making sure no-one was inside.

There is no technical/engineering problem in their way; they have, in the past, checked for nasties when
closing doors, so your whole argument of "no way that's impossible you're asking too much of them" kind of falls on its face, sorry.



edit: Fixed link
0 Votes
+ -
You Are Misrepresenting Me
Cardhu Updated - 22nd Feb 2010
Re: "... argument of 'no way that's impossible you're asking too much of them'"

I am not saying that at all. The fact that you don't understand why I am making no such statement only highlights your complete lack of background for comment, much less discussion.
0 Votes
+ -
Then what did you mean by this?
AzuMao 22nd Feb 2010
But in this one case, your characterizations of Microsoft as "incompetent" are simply wrong.

You don't know what you're talking about


I thought you meant that I was wrong in stating that Microsoft's act of messing with the kernel without first disinfecting it was an act of incompetence.

But now you're saying this isn't what you said?

:/
0 Votes
+ -
You Misrepresent Me In Saying
Cardhu 22nd Feb 2010
that I am stating that it is "impossible" for Microsoft to have done what you expect.

You are flat out wrong to say Microsoft not doing what you expect is an example of "incompetence."
0 Votes
+ -
So what you really meant was..
AzuMao 22nd Feb 2010
..there was nothing stopping Microsoft from cleaning out the infections that got in from the door they left open before closing it, but they chose not to do so, because they are competent??

That makes no sense!

Please be clear in what you mean if you don't want to be misinterpreted.
0 Votes
+ -
You Have No Comprehension Of Engineering
Cardhu 23rd Feb 2010
This guy:

http://talkback.zdnet.com/5208-12554-0.html?forumID=1&threadID=75321&messageID=1464916&tag=content;col1

gets it.

You do not.
0 Votes
+ -
I thought this discussion was about Microsoft Windows, not me.
AzuMao 23rd Feb 2010
So why do you keep trying to change it to what you think my personal aspects may or may not be?

Why not just (dis)agree with what I've said based on whether or not you agree with it? Wouldn't that make for a more logical discussion? Instead, you just keep coming back with
"ya well you're wrong" "you have no clue I'm the pro in this area listen to what I say", etc.
Also, I already rebutted the post you just linked to.
0 Votes
+ -
Your Comments Show Such Absence Of Basic Understanding
Cardhu 24th Feb 2010
that I wondered whether you had any credentials as a basis. Clearly, you don't.

Your "rebuttal" to Lester Young is equally devoid of familiarity with the topic. As Lester Young states, the rootkit and the update were entirely unrelated. Their interaction was unlikely and very unexpected.

To avoid such an unexpected interaction, Microsoft would have to employ a shotgun approach to their development and testing of updates. There are about 1.1 million viruses, Trojans, and rootkits for Windows. Checking for unexpected interactions in pathological cases for every update would require detectors, removers, and test cases for each and every single one. That does not even begin to address what viruses, Trojans, and rootkits are not yet known.

The resulting additional requirements and test cases for just one update would far exceed any reasonable and affordable bounds for any software engineering project.

That is why no antivirus or antimalware product now is proof against all possible viruses, Trojans, and rootkits. The one product reported to detect and remove the rootkit in question is MalwareByte's AntiMalware, which is one of the anti-malware products I use.

Furthermore, virus and malware authors will always have the lead because they have the initiative.

What you bash Microsoft for is neither "impossible" nor "incompetent." It is simply unaffordable and unreasonable.
0 Votes
+ -
I didn't mean make another post devoted to saying "you're wrong because I
AzuMao 24th Feb 2010
said so and I'm smarter than you". I meant actually try to make a logical argument against what my points.

Your ridiculous straw-man doesn't count either; I never said that with every single update they need to check for every single virus/malware/spyware/trojan/worm that affects Windows.


Just that when they leave a door open for years they should do something about what got in before closing it, and that they have done so in the past (and provided a link as proof), meaning that there is no technical reason for them not to.

Again, not saying that EVERY patch needs to check for EVERY piece of crap, just that the patch should either include something to remove the crap that directly interacts with it (like this rootkit which has infected thousands thanks to the door Microsoft left open).. surely it isn't unreasonable that when over a billion people pay you tons of money to provide them with a secure piece of software, and you leave a vulnerability in it with 17 years, you should at least fix the damage caused by it? I mean come on, can't they hire a programmer (or even more than one) with all that money??


But go on, just keep calling me names and saying I'm wrong over and over. Maybe someone really will believe that over my logical argument. Who knows?
0 Votes
+ -
BSODs, while a nusance, were actually...
PollyProteus 17th Feb 2010
...intended to be a last ditch attempt by Windows to try and PREVENT irreversible damage to the system's integrity. Read more here:

http://en.wikipedia.org/wiki/Blue_Screen_of_Death

So yes, the user lost whatever data they were just working on, which is never fun, but ask yourself which is worse: loosing the last hour's work or loosing all the data on your hard drive?

I'm not saying that BSODs are a good thing, and I wish they didn't exist, however I guess if it comes right down to it, I'm going to spend the money to get quality hardware and drivers and then do what's necessary to keep things like RootKits off my computer.

Oh, wait, I already do. Last time I suffered a BSOD was caused by a cheap video card I picked up for $25 figuring it wouldn't hurt. Well, in the end it hurt a great deal, so I spent the $150 for a quality video card and the BSODs went away.

Moral of the story: You get what you pay for.
0 Votes
+ -
Correction
AzuMao 17th Feb 2010
Moral of the story: you get the opposite of what you pay for.



Buy some expensive commercial OS, and instead of vulnerabilities being fixed promptly, you get them left in for 17 years, and when a "fix" is finally provide, it hoses your
system. Wonderful. Get what you pay for my ass!
0 Votes
+ -
Correction to your correction...
Wolfie2K3 17th Feb 2010
If it's been working fine for all these years, and in effect, it hasn't been exploited, it isn't a problem. Now is it?

Nor is the fix the problem. If you're getting a BSOD, it's not because of the fix. It's the bloody rootkit. If you're not infected, then gee, no problem. If you are infected, OTOH, it crashes.

So who is really to blame? Is it the rootkit authors? To a degree. They're criminals and they're out to infect as many computers as they can.

Is it Microsoft's fault? Not really. The fix works just fine when applied on a system that hasn't been compromised. They can't be responsible for someone else's code. Even especially when it's from some criminal organiztion that altered the original code in order to HIDE their tracks.

How about the end user's fault? Yeah... They're guilty too. They opened that shady web site, the one promising to show pictures of Paris Hilton's naughty bits or a video of some scandalous social engineering nonsense they use to get you to install the infection.
0 Votes
+ -
Yes really.
AzuMao 18th Feb 2010
If they're going to wait years before providing
a fix, by which time malware has already been
taking advantage of the vulnerability for a long
time, then why they finally do decide to
fix it, they need to make sure their fix fixes
whatever problems were caused (such rootkits),
or at least doesn't make it worse (such
as crashing the computer entirely).

I do agree it is the user's fault also
(not solely), since they chose to keep using the
OS their computer came with instead of
installing a more secure one, but that doesn't exempt Microsoft for making it.
0 Votes
+ -
@ AzuMao
Cardhu 20th Feb 2010
Have you ever been involved in actual software engineering for development or testing?

Have you ever been a lead engineer responsible for planning and conducting a significant test program?
0 Votes
+ -
@Cardhu
AzuMao 20th Feb 2010
One thing's for sure.. whoever made this patch sure hasn't!
0 Votes
+ -
You're Still Dodging The Question
Cardhu 21st Feb 2010
See my previous post:

http://talkback.zdnet.com/5208-12554-0.html?forumID=1&threadID=75321&messageID=1468238
0 Votes
+ -
See mine.
AzuMao 21st Feb 2010
See mine.
0 Votes
+ -
Exactly!
john_gillespie@... 17th Feb 2010
Is there a possibility that MS should not have known about BSODs? This
is totally irresponsible on MS's part.
0 Votes
+ -
Exactly how?
Wolfie2K3 17th Feb 2010
1.) The systems affected by the BSOD are infected by a rootkit.

2.) The purpose of a rootkit is to HIDE the activities of a hacker or hackers. Preferably in some way that will keep itself hidden as well. Ergo, a system infected with a rootkit is probably not going to display any odd behavior - tho it might run a bit slower than normal - depending on what the rootkit is hiding.

3.) Microsoft doesn't have a panel of psychics on staff. If they don't know about an issue, then they can't exactly fix it. Can then?
0 Votes
+ -
Considering the issue was being used for years by these rootkits..
AzuMao 20th Feb 2010
..I guess they should have known by the reports?

And should have made sure that in (finally) fixing
the hole, they also fix problems caused by the
hole? Or is it the users' faults for not
travelling through time to get the patch and apply
it before it came out?
0 Votes
+ -
Update KB977165 (MS 10-015) do I Install or Not?
perfumfree@... 17th Feb 2010
I had read your emails about the above update # causing problems, so when I received this update to download, I did not download or install it. Is it safe to download now, or should I just continue to keep in hidden and not install it. I really don't want the Blue Screen of Death on my very important home/office computer because I can't afford to pay to have someone fix it. Would it be okay if I don't download and install it or is it okay to install it now? Thanks for your help!
0 Votes
+ -
No, Windows 7 and Vista are not secure either. They are more secure than
DonnieBoy 16th Feb 2010
XP, but, that is not saying much.
0 Votes
+ -
What else is it?
AzuMao 3rd Mar 2010
Routers and modems are also computers and also
need operating systems, don't they?

Are you referring to the cables/fibers connecting
them all? But then why didn't you use those in
your analogy to asphalt?

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix