×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Rootkit May Be Behind Windows Blue Screen

kdawson posted more than 4 years ago | from the pre-owned dept.

Security 323

L3sPau1 writes "A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by Windows XP users who applied the latest round of Microsoft patches. It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researcher Patrick W. Barnes, investigating the issue, has isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

323 comments

Sounds like a good thing (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31115356)

That's one way of forcing users to take care of an infection.

Re:Sounds like a good thing (2, Funny)

Anonymous Coward | more than 4 years ago | (#31115564)

That's one way of forcing users to take care of an infection.

Let me try to respin it into an anti-Microsoft jab:

Windows API is such a jumbled mess of spaghetti code that not even low-level processes related to accessing the hard drive are safe from updates!

 

Re:Sounds like a good thing (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31115612)

Replace hard drive with wireless cards and you could say the same of linux...

Re:Sounds like a good thing (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31115926)

wireless has to be configured by the user, the HDD controller does not

I'm in favor of requiring Internet User's License (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31115696)

If you need a license to operate a vehicle, why not an internet-connected device, which has the ability to wreak havoc and cost millions or even hundreds of millions of dollars in lost productivity, ID theft, etc. if compromised? I'll leave the details of the implementation up to people like Obama who have supreme confidence in mouth-breathing bureaucrats to correctly implement his vision for grandiose programs. Hey, it worked for health care, right? Right???

Re:I'm in favor of requiring Internet User's Licen (1, Troll)

gyrogeerloose (849181) | more than 4 years ago | (#31115908)

If you don't even have the strength of conviction to post with your name on it, I think that you should be denied issuance of your proposed Internet license.

And by the the way, "Internet" should be capitalized.

Re:I'm in favor of requiring Internet User's Licen (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31116134)

Yes, gyrogeerloose, please lecture us on the merits of posting un-anonymously as you hide behind the nickname of one of Disney's more faggoty characters conceived during Disney's transition from quality cartoons to mindless shit.

Re:Sounds like a good thing (0)

Anonymous Coward | more than 4 years ago | (#31116202)

That's one way of forcing users to take care of an infection.

A lot of rootkits are now exposed, time to clean up folks!

Ah, well, that lets Microsoft off the hook then (2, Insightful)

Rogerborg (306625) | more than 4 years ago | (#31115370)

After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.

If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.

Re:Ah, well, that lets Microsoft off the hook then (0, Troll)

jhoegl (638955) | more than 4 years ago | (#31115414)

Not surprised, thats what happened last time this happened.
Who is at fault? Im going to go with the user. Keep on clickin' yah scrub
By the Way, doesnt the "Windows Defender" do checksum scanning?
I know SFC does it... so the tools are already there.

Re:Ah, well, that lets Microsoft off the hook then (2, Insightful)

ozmanjusri (601766) | more than 4 years ago | (#31115596)

Im going to go with the user.

Of course.

They're the ones who paid for an OS that's about as secure as a colander, after all.

Re:Ah, well, that lets Microsoft off the hook then (0)

Anonymous Coward | more than 4 years ago | (#31115852)

You pay for the OS to be an OS, you pay for an Antivirus to be an Antivirus. Perhaps a good antivirus with rootkit detection would have caught it. Such as.. NOD32?

Re:Ah, well, that lets Microsoft off the hook then (2, Informative)

jhoegl (638955) | more than 4 years ago | (#31115856)

That is BS and you know it.
The user installed the virus into their system by doing something stupid.
Its like blaming the US Government for letting businesses go over sea when you still shop at Walmart.

Your response is a cop out.

That does not matter. (1, Insightful)

khasim (1285) | more than 4 years ago | (#31116010)

ANY company replacing files on your drive should be checking to make sure that those are the exact files that it wants to replace.

If there's any difference in the files the installer should exit with a nice error message AND LEAVE EVERYTHING THE FUCKING SAME WAY IT FOUND IT.

Yes, this was from a virus/trojan/worm/whatever. Who cares? It could just as easily have been a custom file for custom hardware.

Re:Ah, well, that lets Microsoft off the hook then (4, Insightful)

spun (1352) | more than 4 years ago | (#31116014)

That is BS and you know it.

The user installed the virus into their system by doing something stupid.

Its like blaming the US Government for letting businesses go over sea when you still shop at Walmart.

Your response is a cop out.

Your response is what is commonly known as 'blaming the victim.' Seriously, you can't imagine any other way for malware to get onto a system except user stupidity? I'd call that a failure on your part. You know, Windows fanbois remind me of battered women, explaining to others how they walked into a door or fell down some stairs. No you didn't, you let somebody beat the shit out of you and then covered it up.

Re:Ah, well, that lets Microsoft off the hook then (1)

flitty (981864) | more than 4 years ago | (#31116180)

People who get viruses are now "victims"? Or are you saying Windows users are "victims"?

Nevermind, this is /. --- don't answer that.

Re:Ah, well, that lets Microsoft off the hook then (1, Insightful)

Mister Whirly (964219) | more than 4 years ago | (#31116212)

And Linux fanbois remind me of a battered woman who cannot get her damn wireless card working for the life of her.

Re:Ah, well, that lets Microsoft off the hook then (1)

mrclisdue (1321513) | more than 4 years ago | (#31116224)

You know, Windows fanbois remind me of battered women, explaining to others how they walked into a door or fell down some stairs. No you didn't, you let somebody beat the shit out of you and then covered it up.

That's beautiful. I may borrow it someday.

cheers,

Re:Ah, well, that lets Microsoft off the hook then (1)

StormyWeather (543593) | more than 4 years ago | (#31116236)

My colander is very secure thank you. I keep it underneath the stove, and it's not connected to the internet in any fashion. In fact, I don't even plug it in.

Re:Ah, well, that lets Microsoft off the hook then (5, Insightful)

Com2Kid (142006) | more than 4 years ago | (#31115466)

After all, there's no way that their malware tool could have spotted it

If a system has been rooted, nothing short of booting to another OS from a known clean media, mounting the disk read only, and scanning, is guaranteed to detect a root kit.

That'd make updates a real pain in the arse to install...

Re:Ah, well, that lets Microsoft off the hook then (2, Insightful)

PIBM (588930) | more than 4 years ago | (#31115570)

Scanning it does not even guarantee the detection of the root kit. I can see tons of useless scans a user could run ;)

Re:Ah, well, that lets Microsoft off the hook then (2, Interesting)

Sockatume (732728) | more than 4 years ago | (#31115788)

I'm not sure it'd be such a pain. Windows already demands to restart after critical updates anyway. Couldn't it throw a flag to boot from a secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown, then use that to mount the disk as read-only and install updates? You could call it Microsoft SafeUpdate, part of the Trusted Computing Initiative. Heck, make the secondary partition an SSD, give the hardware manufacturers a reason to get behind it.

Re:Ah, well, that lets Microsoft off the hook then (2, Interesting)

RoFLKOPTr (1294290) | more than 4 years ago | (#31116018)

I'm not sure it'd be such a pain. Windows already demands to restart after critical updates anyway. Couldn't it throw a flag to boot from a secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown, then use that to mount the disk as read-only and install updates? You could call it Microsoft SafeUpdate, part of the Trusted Computing Initiative. Heck, make the secondary partition an SSD, give the hardware manufacturers a reason to get behind it.

RootKit() {
if ( RecoveryPartitionPresent() == 1 ) {
WriteRandomShit(RecoveryPartition);
}
}

Re:Ah, well, that lets Microsoft off the hook then (0)

Anonymous Coward | more than 4 years ago | (#31116146)

Why not just make it read-only in hardware? Remember the good old days of USB sticks that had a hardware write protect switch? There days they're getting so cheap they are hard to find.

Re:Ah, well, that lets Microsoft off the hook then (1)

gbjbaanb (229885) | more than 4 years ago | (#31116022)

You could call it Microsoft SafeUpdate

or even Windows File Protection [slashdot.org] and only allow drivers that have been digitally signed [microsoft.com] .

Nice idea I suppose, but as they didn't work there's only one solution - DRM on everything in your C drive!!

Re:Ah, well, that lets Microsoft off the hook then (3, Insightful)

Tuidjy (321055) | more than 4 years ago | (#31116110)

You know, it is far from easy to implement a "secondary, encrypted, trusted "update partition" that only the Windows root can edit, and only during shutdown" on a PC that has been rooted, unless you support this in hardware. And I can already hear the screaming and gnashing of teeth if some people, present company very much included, learned that PCs come with something like that.

I would certainly not be happy running hardware that I knew had something that I and no one I know could get into. And I can get into it, it's not that "trusted", is it?

Re:Ah, well, that lets Microsoft off the hook then (0)

Anonymous Coward | more than 4 years ago | (#31115832)

If a rootkit is that good at hiding itself, it wouldn't trigger a BSOD, let alone get featured on Slashdot twice. This is what I call a failed rootkit.

Re:Ah, well, that lets Microsoft off the hook then (3, Insightful)

girlintraining (1395911) | more than 4 years ago | (#31115518)

After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.

Well, actually no. Most rootkits either modify the permissions or patch critical system files that cannot be easily replaced, as this one does. It's designed to be stealthy -- so if you scan it, it will return a byte-for-byte copy of the original, which is kept elsewhere, while the operating system loads the infected one at boot.

Saying Microsoft is responsible for ensuring compatability with 3rd party software is ludicrious. This is like potholes -- while the government has a responsibility to patch the roads up so they remain drivable, cars are nonetheless designed with shocks and drivers are expected to watch for road hazards and avoid them as much as possible as well. It is a joint responsibility. Microsoft is not the sole responsible party here: The user shares the responsibility of ensuring the system has not been compromised.

Re:Ah, well, that lets Microsoft off the hook then (4, Insightful)

TheLink (130905) | more than 4 years ago | (#31116056)

> Saying Microsoft is responsible for ensuring compatability with 3rd party software is ludicrious.

And saying Microsoft is responsible for ensuring compatibility with _malicious_ 3rd party software is even sillier.

If your system is screwed up by a rootkit, there is no way to 100% predict what could happen if you try to continue using it (including trying to install patches).

If the BSODs are only happening to rootkitted XP boxes then it's clearly not Microsoft's fault.

If this was a one-time-thing, then yes. (1)

khasim (1285) | more than 4 years ago | (#31116138)

But when taken with Microsoft's entire approach, no.

Microsoft has always chosen "ease of use" over security. And then their licenses are constructed so that a large segment of the machines out there don't even have clean-bootable media to resolve issues like this.

In your pot hole analogy, Microsoft didn't build the road ... and then then pot holes appeared. Microsoft built the road with the holes ... and then even more appeared and they're doing nothing to mitigate the situation and they're still building the roads the same way.

Re:Ah, well, that lets Microsoft off the hook then (3, Insightful)

_xeno_ (155264) | more than 4 years ago | (#31115528)

Isn't one of the things a rootkit does is attempt to prevent detection?

How do you know that they don't try and match checksums, only the rootkit was returning the "correct" data in order to hide its presence? I mean, it is in the system file that handles reading data from hard drives, which sounds like the perfect place to put in code designed to stealth out the rootkit.

Not that I can get to the article ("Error establishing a database connection"), so I have no idea if that's the case, but it seems quite possible to me that if it's a rootkit, it's actively hiding from detection, which would seem to let Microsoft off the hook. Except for however the rootkit infected the machine in the first place.

Re:Ah, well, that lets Microsoft off the hook then (1)

Loopy (41728) | more than 4 years ago | (#31115534)

Clueless comment. Microsoft was NOT patching atapi.sys in this set of updates. Unless you're asking MSFT to checksum every single file that has one of their patch binaries as a dependency? (Think about that one for a second before your knee jerks.)

Re:Ah, well, that lets Microsoft off the hook then (1)

PIBM (588930) | more than 4 years ago | (#31115598)

The rootkit was hiding there, but there's nothing that prevent it from using other files which could have been modified (thus breaking hte rootkit compatibility ??)

Re:Ah, well, that lets Microsoft off the hook then (1)

zippthorne (748122) | more than 4 years ago | (#31116204)

How long would it take to checksum every executable and library on a windows machine, anyway? What makes this something that can't take place on a regular or manually initiated basis?

Re:Ah, well, that lets Microsoft off the hook then (1)

Heed00 (1473203) | more than 4 years ago | (#31115562)

I'd call mine Gary:

God/Flanders: *Gasp* My unicorn! Oh, what have they done to you, Gary?"

Re:Ah, well, that lets Microsoft off the hook then (1)

Rockoon (1252108) | more than 4 years ago | (#31115610)

You seem to be suggesting that atapi.sys was updated. Got any proof of that?

You seem to be using the same failed logic as other people, that a file modification exists after it has been over-written. No, it actually doesn't. There are no ghostly modified bits that linger around. Clearly this file is doing something it shouldn't, which by definition means that it didnt get replaced in the update.

If you arent a programmer or some shit, dont offer your opinion, because right now its terribly stupid.

Re:Ah, well, that lets Microsoft off the hook then (1)

timeOday (582209) | more than 4 years ago | (#31115680)

If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place.

They're more or less the same thing - the spread of malware is unauthorized file copying. The only way to fully prevent malware is to stop users from installing software, since they sometimes install malware.

The idea of not letting people install whatever they want on their own computers may sound ludicrous, but locked-down consoles have largely displaced PC's for gaming, and the iPhone is the #1 smartphone, so it's far from just a joke or a paranoid fantasy. It's here, and a lot of people like it.

Re:Ah, well, that lets Microsoft off the hook then (1)

BluenoseJake (944685) | more than 4 years ago | (#31115896)

The iphone is the number 3 smartphone, in the world. I think it has %14. Please google.

Re:Ah, well, that lets Microsoft off the hook then (1)

zippthorne (748122) | more than 4 years ago | (#31116274)

Seems it matters how you tally [phonearena.com] the numbers. Apparently iPhone is the most used smartphone while Blackberry is the most bought smartphone.

That right there says something that is not particularly flattering to RIM.

Re:Ah, well, that lets Microsoft off the hook then (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31115682)

Where did you get that they develop lots of their development to DRM regime?
Or did you pull that stat out of your ass, for all you know they probably have one guy working on it and not even full time

Anyways if Linux development put half their effort into making a decent desktop and find a standard than they would be a better place. Pot of gold, ahhh fuck it...

Re:Ah, well, that lets Microsoft off the hook then (1)

The MAZZTer (911996) | more than 4 years ago | (#31115692)

Windows File Protection is supposed to checksum and restore modified files. But if malware gets on your machine, all bets are off and it will likely be bypassed or tricked. In addition, it's a rootkit, so normal checksum scans are supposed to detect nothing, it's supposed to be good at hiding. Wouldn't be a very good rootkit if it was found by a feature not designed to find rootkits specifically.

Re:Ah, well, that lets Microsoft off the hook then (1)

BluenoseJake (944685) | more than 4 years ago | (#31115850)

I'm pretty sure most other malware scanners are in use in the world, and they don't seem to be detecting either, but feel free to ignore the facts

Re:Ah, well, that lets Microsoft off the hook then (1)

davidwr (791652) | more than 4 years ago | (#31115966)

"We'd all have unicorns, and a pot of gold."

Unicorns? UNICORNS? Who wants pesky unicorns? Mine keeps knocking over my pot of gold.

At rainbow's end: Win32/Alureon.A detected (5, Informative)

westlake (615356) | more than 4 years ago | (#31116050)

After all, there's no way that their malware tool could have spotted it, or the update could have checksummed the files before patching them.

If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.

Microsoft does detect it - and has since last October.

File atapi.sys received on 2010.02.11 21:58:49 (UTC) [virustotal.com]

Virus:Win32/Alureon.A [microsoft.com]
Updated: Dec 07, 2009

Aliases:

Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)

Encyclopedia entry

Updated: Dec 07, 2009 | Published: Dec 02, 2009

Aliases

Win32/Olmarik!generic (CA) Rootkit.Win32.TDSS.u (Kaspersky)
W32/TDSS.drv.gen4.A (Norman)
Mal/TDSSPack-V (Sophos)

Alert Level
Severe

Detection initially created:
Definition: 1.69.77.0
Released: Oct 23, 2009

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s). When the infecting trojan is run, it infects a system driver, usually 'atapi.sys'. It has also been observed to infect 'iastor.sys' but other system drivers may also be targeted. The system driver detected as Virus:Win32/Alureon.A is infected by the addition of code, whose function is to load a part of the Alureon rootkit. The Alureon rootkit is a component that gives Alureon the ability to avoid detection; it is created by the same Alureon trojan that infects the system driver. The rootkit loaded by Virus:Win32/Alureon.A has the ability to avoid behavior blockers, which allows it to perform its malicious routines uninterrupted. It can also hide files and disk sectors.


Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials... . Win32/Alureon may modify DNS settings on the host computer, thus the following steps may be required after the Win32/Alureon removal is complete:
If the computer has a network interface that does not receive a configuration using DHCP, reset the DNS configuration if necessary

Re:Ah, well, that lets Microsoft off the hook then (1)

psetzer (714543) | more than 4 years ago | (#31116116)

This is pretty ironic considering the circumstances. Their DRM code is pretty much the standard process and kernel isolation plus hardware support for looking to see if anyone's messed around with critical system files to bypass that.

Re:Ah, well, that lets Microsoft off the hook then (0)

Anonymous Coward | more than 4 years ago | (#31116240)

If they put half as much effort into their anti-malware activities as they do into their DRM regime, the world would be a better place. We'd all have unicorns, and a pot of gold.

The only thing that unicorns are good for is catching thrown donuts. You can have mine.

SFC Find It? (2, Insightful)

ircmaxell (1117387) | more than 4 years ago | (#31115384)

Will the windows SFC (System File Checker) tool find this altered file?

Re:SFC Find It? (2, Informative)

RayMarron (657336) | more than 4 years ago | (#31115602)

Not if the rootkit responds to the request with the original values for the files it has replaced. That's the the thing about a rootkit - it gets to tell the OS whatever it wants.

Re:SFC Find It? (1)

ircmaxell (1117387) | more than 4 years ago | (#31115654)

Is that how SFC works? It calls a method in the DLL? I would think it would do an MD5 (or similar -- possibly stronger -- hash) on the file, and compare the hash and the size to the known values. The only way around that would be to alter what SFC has for the "original" values... But then wouldn't SFC launched from a bootable CD combat that issue?

Re:SFC Find It? (2, Informative)

omgwtfroflbbqwasd (916042) | more than 4 years ago | (#31115798)

Generally, rootkits will modify function pointers in the kernel so that typical detection activities are trapped and handled so that the system appears unaltered. In the case of file access, the original file (in an alternate location, data stream, etc.) can be accessed in place of the trojaned one that was loaded on boot, thus preserving original the file size and contents.

Re:SFC Find It? (1)

shutdown -p now (807394) | more than 4 years ago | (#31115810)

Is that how SFC works? It calls a method in the DLL? I would think it would do an MD5 (or similar -- possibly stronger -- hash) on the file, and compare the hash and the size to the known values. The only way around that would be to alter what SFC has for the "original" values...

The obvious other way around it would be to intercept file read/write calls (which trojan can do if it lives on kernel level, injected into some driver), and provide the original file contents to anyone who tries to read the file.

But then wouldn't SFC launched from a bootable CD combat that issue?

It would, but can you launch SFC from within one OS install on files belonging to another OS install?

Re:SFC Find It? (1)

RayMarron (657336) | more than 4 years ago | (#31115902)

My comment applied only to running it in-place. Booting from CD is, AFAIK, the only way to see/get rid of rootkits. (My apologies if that's the way SFC is normally run)

Re:SFC Find It? (1)

maxume (22995) | more than 4 years ago | (#31116186)

Examining the disk from an independent system (the software, so a boot cd works) is the only way to be sure that it is possible to see the rootkit, but most rootkits can be detected by several of the tools that exist for the purpose (from what I gather, the tools look for differences between what system file routines return and what lower level file system routines return).

Sure, a powerful enough rootkit will be hidden from both, but we (seemingly) haven't gotten to that point yet.

Re:SFC Find It? (0)

Anonymous Coward | more than 4 years ago | (#31115948)

Reading a file is calling a method in a DLL. Rootkits are designed to hide themselves from the OS. The only real way to detect them is to run a scan from a clean environment outside of the OS.

ATAPI.sys (1, Informative)

Anonymous Coward | more than 4 years ago | (#31115388)

I have had to replace atapi.sys after doing offline scans of an infected systems' drives. Usually easy enough to copy it off a work system.

mirror please? (0)

Anonymous Coward | more than 4 years ago | (#31115418)

That blog is slashdotted. Who has a mirror?

Re:mirror please? (3, Informative)

n0tWorthy (796556) | more than 4 years ago | (#31115508)

I just happen to have it open in another window:

Microsoft Update KB977165 triggering widespread BSOD One of Microsoft's "Patch Tuesday" security fixes is triggering a widespread "Blue Screen of Death" problem. The cause is not the update itself, but an existing infection. So far, reports suggest that this problem affects Windows XP and Windows Vista. Once the update is applied and the system rebooted, Windows will bluescreen at boot. When booted to Safe Mode, the system will freeze. Removing the update from the Windows Recovery Console or using live media will get the system booting again, at least until the update is reapplied. I have found that the root cause is an infection of %System32\drivers\atapi.sys, and that replacing this file with a clean version will get the system booting normally. This is not the first time that an infection hitting atapi.sys has caused updates to trigger bluescreens. If you are running Windows and have not yet applied this update, make sure you scan your computer thoroughly for infections before applying this update. If you are experiencing this problem, get your computer to a professional that can replace the infected atapi.sys and clean any other malware from your computer. References: http://isc.sans.org/diary.html?storyid=8209 [sans.org] http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1 [microsoft.com] Detailed Repair Instructions Using the Windows XP Recovery Console 1. Boot from your Windows installation CD Insert your Windows installation CD and boot your computer. If your computer is not set to boot from CD first, you may need to reconfigure your BIOS or press a boot menu key (often F12, F8 or Esc). If you are unsure of how to do this, consult your favorite geek. As soon as the boot starts, you should see a message like "Press any key to boot from CD..." - press a key. 2. Start the Recovery Console After the CD loads (it may take a minute), you will be presented with a few choices. One of these options is to start a recovery by pressing "R". Press "R" to launch the Recovery Console. * You may be asked to choose a Windows installation. If so, choose the damaged installation (probably "1). * You may be prompted for the Administrator password. If you do not have one, press "Enter". 3. Identify your CD drive letter You should now be at the command prompt. Enter the following command: map Look for the drive letter for your CD drive. It may look something like this: D: \Device\CdRom0 In this case, your CD drive is "D:". 4. Replace ATAPI.SYS Enter the following, replacing "D:" with your CD drive: cd system32\drivers ren atapi.sys atapi.old expand D:\i386\atapi.sy_ You should see the message "1 file(s) expanded." - this indicates you have succeeded. 5. Reboot and scan for malware Reboot your computer. With a little luck, your computer will now boot normally. Because this problem is caused by malware, you should immediately scan your computer with up-to-date antivirus software. Tags: Malware, Security, Windows This entry was posted on Thursday, February 11th, 2010 at 17:22 and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Re:mirror please? (3, Informative)

n0tWorthy (796556) | more than 4 years ago | (#31115548)

And some other salient responses:

Michael Bristow says:
2010-02-12 at 11:48
I had a machine come across my bench with this issue, first thing Wednesday morning. One of the first things I tried was running SFC form an ERD boot disk. it replaced several files including atapi.sys, but was still would not boot. only way to get the PC back up and running was to remove the patch.

Multiple scans, with no infection detected, and I tried re-installing the patch, only to get right back to Blue Screens.

In short, there is obviously more going on than just a problem with infected atapi.sys files.

  Jim Blizzard says:
2010-02-12 at 12:00
Very nice work Patrick,

We have seen this occur on a few machines at the FAA so I wrote a vbscript to loop through an .xls of machines and record the MD5 Checksum. Thought it may come in handy for yourself and some of your readers..

http://home.comcast.net/~jblizz/Atapi_MD5_Checker.zip [comcast.net]

Re:mirror please? (1)

PeterKraus (1244558) | more than 4 years ago | (#31115816)

Can't believe this! Just finished reinstalling a Dell Mini with exactly the same issue (and let me tell you, reinstalling Dell Mini with XP CD's without an external CD drive is a PITA).

Kdawson, couldn't you post it yesterday night?!?

Re:mirror please? (1)

maxume (22995) | more than 4 years ago | (#31115962)

The rollback fix and the possible malware link were both discussed in the story posted yesterday.

(I realize that getting a recovery console on a netbook with no optical drive is a bit of a chore)

Re:mirror please? (1)

PeterKraus (1244558) | more than 4 years ago | (#31116066)

The most baffling thing was the randomness of bluescreens it threw. IRQL, DRIVER_IRQL, some POOL stuff etc.... Sometimes it booted just fine, sometimes not.

Dell Mini has the ram chip located under the plastics and motherboard - had to take it open several times (to check the ram, which turned out to be fine, to replace it with new one, which didn't boot (800MHz), and to fit the old one back in).

I kind of realised it's virus infection as soon as I booted it in normal mode for the first time - Norton out of date, a telltale sign something is f**ed up. After removing it, Windows XP 2010 Internet Security installed itself - great job at social engineering, I couldn't spot a difference from legit windows update screen (though obviously I knew it's a virus).

It was also clever enough to block downloads of Malwarebytes anti-malware, and the system was force-restarted every 20-30 minutes (some NT process launch issue)...

Well, at least I've learned two things - how to install windows XP home from a USB hard drive, (no external DVD-RW here), and how to activate Dell machine using Genuine (non-Dell) installation CD...

a driver used by Windows to connect hard drives (3, Informative)

BisexualPuppy (914772) | more than 4 years ago | (#31115422)

ATAPI is an ATA driver for things that are NOT hard drive (think CDROM drives, floppy, etc).

What is pitiful (0)

Anonymous Coward | more than 4 years ago | (#31115480)

is that Microsoft's best solution was to boot into the recovery console and uninstall the patches. This put the rootkit back in business. Where is "trustworthy computing"?

Good (1)

Dan East (318230) | more than 4 years ago | (#31115488)

The infected PC is unusable or it will be restored to a clean state. Either way it won't be spamming or participating DDOS attacks, etc.

Re:Good (0)

Anonymous Coward | more than 4 years ago | (#31115524)

The infected PC is unusable or it will be restored to a clean state. Either way it won't be spamming or participating DDOS attacks, etc.

The fix linked from here (yesterday) was to roll back the updated files from an XP install disk -- so any rootkit would probably stay around?

No surprise if true (5, Interesting)

al0ha (1262684) | more than 4 years ago | (#31115492)

I've performed a forensic analysis on numerous Windows machines and have discovered rootkits that have lived on machines undetected for up to two years even though they were up to date on patches and AntiVirus defs. In fact one of the rootkits was unknown until I discovered it and sent a copy to threatexpert and virustotal.

Re:No surprise if true (2)

JumpDrive (1437895) | more than 4 years ago | (#31115586)

Can you give us a little more information on how you discovered these rootkits?

Re:No surprise if true (1)

berashith (222128) | more than 4 years ago | (#31115738)

It was named al0ha.trojan.jpg.exe and it was also sent to thousands of unsuspecting hotmail users at the same time as it was sent to threatexpert and virustotal ( they only got it as a secondary action) .

Re:No surprise if true (5, Informative)

The MAZZTer (911996) | more than 4 years ago | (#31115750)

If you compare a file listing run from inside the machine to one run from a bootable CD OS where the rootkit can't load, different files are a dead giveaway that something is being hidden, and a rootkit can't work around this.

There are also lower level APIs one can use inside of an OS that are much harder for a rootkit to patch so such tools can also locate some rootkits without needing to boot from CD. See: RootkitRevealer

Re:No surprise if true (0)

Anonymous Coward | more than 4 years ago | (#31115954)

Don't file sizes change when the OS is updated?

Are you seriously suggesting a new CD of system files be generated every time one of them is updated?

Re:No surprise if true (4, Informative)

hoggoth (414195) | more than 4 years ago | (#31116144)

No, he's suggesting a program that runs first under Windows to make a list of every file on the disk along with a checksum, then runs under Linux to make a list of every file on the disk along with a checksum. If the lists differ there is likely a root-kit hiding itself when running Windows.

Removing known rootkits (1)

davidwr (791652) | more than 4 years ago | (#31116048)

If you know the behavior of rootkit X version Y, it is usually possible to write a tool that specifically disables X version Y without resorting to a known-good-media boot.

However, it may be useless against rootkit X version anything-but-Y.

This is most useful for rootkits that either aren't stealthy enough or which are associated with non-stealthy viruses.

If the rootkit is sufficiently stealthy, the end user may never suspect he has a problem.

The moral of the story: If you are a malware writer and want your code to be undetected, stay below the radar and don't do anything to attract attention to yourself.

Re:No surprise if true (1)

lymond01 (314120) | more than 4 years ago | (#31116080)

If you run your XP box as root and allow items to be installed by clicking on an attachment or going to a website that runs an executable, no virus checker is going to stop you from hosing your machine. Vista's "cancel or allow" mechanism made fame by its annoying implementation (having to "cancel or allow" multiple times through a single process) but it was the best move Microsoft ever made towards their system's security. MacOS X and Linux have had "cancel or allow" mechanisms pretty much since their inception just implemented in a more user-friendly manner. Vista SP1 and Windows 7 makes the pop-up decidedly more tolerable.

Been there, done that already (0)

Anonymous Coward | more than 4 years ago | (#31115496)

I fix computers for a living... started seeing this a few months ago. I just installed Avast! and removed the rootkit... presto, problem solved.

That must be why... (1)

tenco (773732) | more than 4 years ago | (#31115500)

...my XP box didn't crash on reboot after applying these latest updates.

Re:That must be why... (1)

serialband (447336) | more than 4 years ago | (#31115938)

I had been wondering about all those blue screen complaint posts too. Every systems I managed came up fine. I usually test patch one system first before I continue doing the rest.

So much for AV protection (0)

Anonymous Coward | more than 4 years ago | (#31115510)

I was hit by this yesterday -- boy everything runs faster after a clean install!

The interesting part is that I already had the latest Windows Updates, but the blue screens arrived following a successful infection targeting the OLD kernel. How long until the TDSS/etc. makers update their pointers? I kindof prefer the attack that leaves a dead system instead of a quiet zombie...

had one yesterday (2, Informative)

Revek (133289) | more than 4 years ago | (#31115542)

Scanned the drive in another machine and it detected atapi.sys as having a trojan. I restored it from /i386 and it came right up. I never thought it was connectd with the xp problems. Microsoft didn't do a evil thing who would have knew.

Re:had one yesterday (1)

Bobfrankly1 (1043848) | more than 4 years ago | (#31115700)

Scanned the drive in another machine and it detected atapi.sys as having a trojan. I restored it from /i386 and it came right up. I never thought it was connectd with the xp problems. Microsoft didn't do a evil thing who would have knew.

You mean Microsoft didn't have evil intentions in this area of the patch. Bad idea to make a blanket statement based on one area of patch.

Re:had one yesterday (1)

Revek (133289) | more than 4 years ago | (#31116070)

It wasn't a blanket statement about Microsoft. It was specific to this one incident.

oh and by evil I meant stupid,thoughtless and without responsibility .

Inadequate regression testing (5, Funny)

Ralish (775196) | more than 4 years ago | (#31115644)

Next time you might consider doing some backwards compatibility testing with popular rootkits, yes? Just a free tip Microsoft!

Re:Inadequate regression testing (4, Funny)

shutdown -p now (807394) | more than 4 years ago | (#31115854)

Next time you might consider doing some backwards compatibility testing with popular rootkits, yes? Just a free tip Microsoft!

But if we do, the makers of less-popular rootkits could sue us in EU for monopolistic preferential treatment! ~

Bug-for-bug compatible (1, Funny)

Balial (39889) | more than 4 years ago | (#31115686)

Does this mean Microsoft is going to have to support and test malware and remain bug-for-bug compatible to avoid bad press in future? That'd be awesome... "we can't accept this fix, it's not compatible with the great zombie bot of '10".

Re:Bug-for-bug compatible (1)

Sir_Lewk (967686) | more than 4 years ago | (#31115828)

They could just have their update installer flip shit if checksums don't check out right, and refuse to take any actions. That would be the sane default anyways...

Re:Bug-for-bug compatible (0)

Anonymous Coward | more than 4 years ago | (#31116012)

The real question for me is why is the system freaking out with the applied update(it's replacing the file), but a restored copy is just fine.

Re:Bug-for-bug compatible (1)

maxume (22995) | more than 4 years ago | (#31116262)

The update isn't providing a new atapi.sys file, it is changing something that the rootkit (present in atapi.sys) depended on.

Re:Bug-for-bug compatible (1)

gparent (1242548) | more than 4 years ago | (#31116076)

Yeah, because rootkits definitely don't hook to the kernel and can't patch the function that performs file reads. Right?

Re:Bug-for-bug compatible (1)

Sir_Lewk (967686) | more than 4 years ago | (#31116256)

Well if I'm reading this right, this one at least didn't catch filesystem writes...

Re:Bug-for-bug compatible (1)

shutdown -p now (807394) | more than 4 years ago | (#31115930)

Windows is already "bug for bug" compatible in many cases, though for the sake of real applications rather than trojans, of course. If you read The Old New Thing (Raymond Chen's blog), he often details some of the undocumented assumptions and accidental behavior that had to be supported for a long time just because some very popular software out there relied on it to work.

It's the unfortunate consequence of having backwards compatibility as a major feature - when it breaks for whatever reason when a new version of Windows is installed, users blame Windows, not the application. And MS cannot really handle this in the same way e.g. ext4 authors handled the major userland breaks they introduced by changing behavior (fully within the written spec), by saying, "well, you're all idiots and should have written proper code in the first place". Even when it's technically true...

VirusTotal (2, Informative)

z4ns4stu (1607909) | more than 4 years ago | (#31115712)

Here's a link to the report from VirusTotal when you upload an infected atapi.sys.

http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Question (0)

Anonymous Coward | more than 4 years ago | (#31115814)

Did you copy the file after mounting the drive on an uninfected machine, or did you just copy from the infected machine?

In other words, since about half of the AV programs (including Microsoft's!) can find this rootkit, if it's possible to detect on the infected machine, then the users are double idiots for (a) downloading and installing a virus, and (b) not having a decent AV program to detect and remove it.

Re:Question (0)

Anonymous Coward | more than 4 years ago | (#31115894)

Nobody knows how long any of these infected systems were already infected, they could've well been infested with the rootkit before detections have been available, which isn't too uncommon, most current rootkits update themselves after being deployed, and usually stay ahead of detection on a running system that way.

Re:Question (1)

z4ns4stu (1607909) | more than 4 years ago | (#31116032)

I didn't grab the file myself. The link is from comments the original blog poster had made at isc.sans.org.

M$ at root of problem...but wont admit (-1, Troll)

hesaigo999ca (786966) | more than 4 years ago | (#31115818)

You all know who this guy is, does he even have the proper credentials that say someone working for Symantec might, or any other security based company that is globally known and respected??? Also, how do we know he did not just paid for his comments about the virus/trojan/rootkit i mean seriously, you have to be pretty unbiased, and even though I did no research on the guy, I am sure neither did the guy that posted this story!!! Never fails, M$ alsways comes up with a way out or excuse why it is not their fault, EVER!

Slashdotted (0)

Anonymous Coward | more than 4 years ago | (#31115880)

Link seems to be down. Already /. ?

Sounds like a House-style diagnosis (2, Interesting)

msbmsb (871828) | more than 4 years ago | (#31115884)

Apply this patch to see if the machine is infected by some seemingly-unrelated rootkit.

"It's not a bug, it's a feature" (3, Funny)

davidwr (791652) | more than 4 years ago | (#31115934)

"Yes, our security update crashed your computer. We hope you enjoyed our anti-rootkit feature."

Remove it with ComboFix (5, Informative)

cyprezzz (110690) | more than 4 years ago | (#31115984)

I've seen this Tdss-rootkit on many machines. Usually it infects a disk driver like atapi.sys or iastor.sys. Typically an infected machine will boot in normal mode, but NOT in safe mode (blue screens). If Windows will boot, running ComboFix has removed the rootkit for me every time. The author of ComboFix is a genius.

ATAPI.SYS Infections (5, Informative)

nlewis (1168711) | more than 4 years ago | (#31116200)

I run a small computer repair shop, and we first started seeing this ATAPI.SYS virus a few weeks ago. When I would submit it to VirusTotal, it would always come back as clean on every single virus scanning engine - but I could tell it was infected. I even had a computer in here just yesterday which had the infected ATAPI.SYS file, yet it was not detected as such - even when the hard drive was mounted as a secondary drive in another system and scanned with several up-to-date antivirus programs.

The virus itself is actually quite a clever little beast. After infecting the file, it sets the file modification time back to the original date & time, which makes it hard to tell that it's been modified. Also, I've noticed that the byte counts between infected and non-infected versions of the file are almost always identical. But to do that, it appears to be injecting its code into the area normally used to store the file version information. The upshot is, if you check the file properties and there's no file version information (the Version tab under XP or the Details tab under Vista/Win7), there's a good chance the file is infected.

I have not had any computers come in to the shop with the BSOD mentioned in the articles yet, but I'm expecting them at any time...

"Rootkit May Be Behind Windows Blue Screen" (4, Funny)

thatskinnyguy (1129515) | more than 4 years ago | (#31116238)

Rootkit? I don't see it. Maybe it's because this damn blue screen is blocking my view.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...