Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Confirms Update-Linked BSODs Required Compromised Machines

timothy posted more than 4 years ago | from the calling-that-glass-half-full-takes-chutzpah dept.

Windows 199

Trailrunner7 writes "Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit. There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit." That seems a harsh way to find out that your Windows machine has been rooted.

Sorry! There are no comments related to the filter you selected.

But better than not finding out at all. (5, Insightful)

dmgxmichael (1219692) | more than 4 years ago | (#31190928)

Now, I wonder who the first poster is going to be to demand Microsoft test their patches for compatibility with viruses and malware?

Re:But better than not finding out at all. (2, Insightful)

bigredradio (631970) | more than 4 years ago | (#31190980)

First post...that would be you sir.

Re:But better than not finding out at all. (1)

Jugalator (259273) | more than 4 years ago | (#31192032)

First post...that would be you sir.

That was a demand?

Re:But better than not finding out at all. (1)

nextekcarl (1402899) | more than 4 years ago | (#31192860)

In his defense, the people of Big Red Radio's home planet are extremely polite. I, for one, welcome our Overlords, is actually a variation of their standard greeting.

Re:But better than not finding out at all. (1)

Rockoon (1252108) | more than 4 years ago | (#31191034)

How about queue up the idiots who demand that microsoft do a checksum on the files it patches...

..because in their universe, files that have been over-written still contains bits of the old files that will execute and cause blue screens.

Re:But better than not finding out at all. (5, Funny)

Anonymous Coward | more than 4 years ago | (#31191122)

The rootkitted library was not a part of the update, just one of the libraries it was using. You should demand that your rootkit vendor stick to published APIs to avoid this in the future.

Re:But better than not finding out at all. (2, Funny)

rve (4436) | more than 4 years ago | (#31192646)

The rootkitted library was not a part of the update, just one of the libraries it was using. You should demand that your rootkit vendor stick to published APIs to avoid this in the future.

An OS update shouldn't break third party applications such as rootkits. Many people's livelihoods depend on these rootkits. Did you guys at MS even consider how difficult it is to retroactively patch infected torrents once they're out on the net?

Re:But better than not finding out at all. (1)

GNious (953874) | more than 4 years ago | (#31192666)

haha, but ...

Why is there unpublished APIs available for 3rd parties of any kind to call without some kind of security-check? Why are MS allowing these unpublished APIs to be used, and could they possibly be removed for safety and sanity of systems?

I can appreciate that some may be there for the OS to use, but would it be feasible for the APIs to include some kind of authentication model ensuring that only the proper software (MS's own OS) is using them?

Just worried that there are bits and pieces of the system that aren't really documented, aren't safe and getting abused...

Re:But better than not finding out at all. (1)

The Archon V2.0 (782634) | more than 4 years ago | (#31191146)

files that have been over-written still contains bits of the old files that will execute and cause blue screens.

Why not? DNA contains bits that will de-evolve you back into a frog or lizard or caveman.

The Archon V2.0
Graduate, Starfleet Academy biology program.

Re:But better than not finding out at all. (3, Insightful)

Johnno74 (252399) | more than 4 years ago | (#31192656)

Wow, nice way to find/create an anti-ms slant on the story. I can respect people who bash microsoft if they know what they are talking about, but you clearly don't so no biscut.

Prolems with your theory:

1) Microsoft updates don't patch files. They replace them. Probably to avoid the issues you assume are happening here (even though they aren't). I'll excuse you for not knowing this.

2) The file that the rootkit infects isn't the file affected by the patch. The file MS patched WAS 100% clean. The rootkit was either modifying or calling the patched file using a static offset. After the patch this offset was no longer correct and the rootkit caused a bluescreen when it used it.

3) Even if the patch was a delta and not a whole file, and the file to be patched was the infected file, and if the patch _did_ checksum the file first then the checksum would not have revealed anything was wrong. Do you even know what a rootkit is? A rootkit, by definition cloaks itself by modifying the OS so system calls will not reveal the rootkit. Read the file where the rootkit resides and the rootkit will intercept this and return the original file contents, sans rootkit.

Re:But better than not finding out at all. (1)

geminidomino (614729) | more than 4 years ago | (#31191142)

Depends...

If MS10-015 was meant to protect against/fix Alureon infections, then yeah, it doesn't seem unreasonable to ask that it not hose the machine.

OTOH, if the fix was for something else and it just happened to go tits-up in that particular odd case, then yeah, MS is off the hook.

Re:But better than not finding out at all. (1)

buti (140259) | more than 4 years ago | (#31191438)

maybe someone should just demand microsoft to remove known rootkits when patching.

Re:But better than not finding out at all. (4, Informative)

lgw (121541) | more than 4 years ago | (#31191498)

Actually, they do. However, Windows Update will apply patches before doing malware removal - I've never quite understood why that was the preferred order.

Re:But better than not finding out at all. (1)

ozmanjusri (601766) | more than 4 years ago | (#31192670)

The did get Mark Russinovich's Rootkit Revealer when they grabbed Sysinternals, so it would make sense that they include a scan.

Having said that though, it looks like it hasn't been updated since Microsoft took it over.

Re:But better than not finding out at all. (1)

Aphoxema (1088507) | more than 4 years ago | (#31192920)

Some rootkits are intentional, like some viruses (I guess they're not really viruses then). As an option, sure, but as a regular part of the update process it can be dangerous.

Not that harsh (5, Insightful)

bigredradio (631970) | more than 4 years ago | (#31190938)

Yeah a BSOD is harsh, but finding your bank account mysteriously drained of funds is more harsh. At least they found out.

Re:Not that harsh (0)

Anonymous Coward | more than 4 years ago | (#31191116)

You missed the lost thesis post?

Re:Not that harsh (0)

Anonymous Coward | more than 4 years ago | (#31191238)

You missed the easy solution to recover it with a Live CD? It wasn't "Lost", it was "temporarily inaccessible".

Re:Not that harsh (0)

Anonymous Coward | more than 4 years ago | (#31191248)

Yeah, it could have been a lot worse. Suppose the rootkit were robust against WU patches... then it would still be there and they wouldn't know about it. They were lucky that the circumstances were just right to out the rootkit.

Re:Not that harsh (0)

Anonymous Coward | more than 4 years ago | (#31191266)

Coincidentally, the fortune at the bottom of the page when I first read this post said:

"Your computer account is overdrawn. Please reauthorize."

The un-harsh way (2, Funny)

hey! (33014) | more than 4 years ago | (#31191816)

[A Microsoft representative comes to a System Admin's place of work for a little meeting.]

MR: Thanks for making time to meet with me.

SA: No problem. So what's this all about?

MR: I don't know how to say this, but it seems that you... well you aren't entirely in control of your systems.

SA: You mean you're selling a new management tool?

MR: No, no nothing like that. It's just that there are certain things... Well let's say there are things about your system that you don't know that you really ought to be aware of.

SA: Oh, I see. You mean like undocumented registry settings, or DLLS or stuff like that.

MR: Well, sure. Technically you *could* describe it that way. It's only....

SA: Only what? How would *you* describe it.

MR: *sigh*. OK. Some Chinese hacker working for the Russian mob has been using you as his bitch.

The Alureonians (0)

Anonymous Coward | more than 4 years ago | (#31190960)

First, they compromise our computers,

Then, their ships will drop out of hyperspace and invade.

You'll see. Mark my words. You all will see.

Better than not knowing that you've been rooted (4, Insightful)

jandrese (485) | more than 4 years ago | (#31190962)

The bluescreen may be painful, but it is far less painful than having your information stolen by criminals. Assuming of course the people who own the machines are savvy enough to properly install their firewalls and virus protection next time.

Re:Better than not knowing that you've been rooted (4, Insightful)

Locutus (9039) | more than 4 years ago | (#31191334)

it was probably about 6 years ago when a number of goverment offices American Express, and others including CNN had their computers BSODing. CNN even stayed on the air for a few hours just talking about how the computers were all rebooting. The cause of that was that the computers were part of a botnet and an update to the botnet caused BSODs.
In plain language, many government computers and businesses computers have been infected without them knowing it. And as I mentioned, large companies with financial ties like American Express. You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

Now I wonder if this is what took out all those Norfolk VA computers. The ones which it was said that they don't think it was something they got off the internet but in the same breath said they don't know what caused it or how it got there.

LoB

Re:Better than not knowing that you've been rooted (1)

Anpheus (908711) | more than 4 years ago | (#31191600)

You can't secure any unverified code without unplugging it. And verifying, truly verifying code is expensive and laborious and will likely never be done for something as huge as Windows or a Linux distro.

Unfortunately, the cost-benefit analysis of verifying code against a spec and proving the security of it shows that it's not worth it in the vast majority of situations.

Re:Better than not knowing that you've been rooted (2, Interesting)

geekprime (969454) | more than 4 years ago | (#31192004)

Couldn't a deep packet inspection reveal the botnet behaviors regardless of how good the rootkit was?

Sounds like a home router feature to me...

Re:Better than not knowing that you've been rooted (1)

X0563511 (793323) | more than 4 years ago | (#31192234)

SSL or any other common encryption scheme throws that out the window.

Re:Better than not knowing that you've been rooted (1)

zero0ne (1309517) | more than 4 years ago | (#31192638)

you may not be able to see the ACTUAL traffic, but shouldn't you still see that 50 PCs on your network all of a sudden start trying to connect securely to a server in China?

I don't think there is any easy way around this.

Even if the IP it was connecting to ended up being within your country, the simple fact that it is all being recorded and data-mined by some company wide application means that given enough time, a pattern will be discovered, and can then be countered.

You don't have to. (1)

khasim (1285) | more than 4 years ago | (#31192688)

All you need to do is verify that the files on the drive are the files released by the vendor(s). An extra step would be to make sure that they're the most recently patched versions as well.

That can be done with a bootable Linux CD and a list of the various files, their locations and different checksums of each of them.

Anything that isn't on that list is suspect and can be quarantined.

The advantage of a system like that is that it is easy to use to spot even unknown rootkits.

Re:Better than not knowing that you've been rooted (0)

Anonymous Coward | more than 4 years ago | (#31192728)

You can not secure Windows without unplugging it from the network. There was a CIO of one company which got hacked and he ended up quiting saying something much the same. Businesses who insist on Windows are insisting on something which is very very difficult to secure.

The funny thing is that you can replace Windows by Linux, *BSD or any other OS/Kernel and the sentence still applies! Let's not be fucking retarded and assume this is a Windows thing.

Broaden their test base (2, Funny)

Itninja (937614) | more than 4 years ago | (#31190986)

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

Re:Broaden their test base (1)

The Angry Mick (632931) | more than 4 years ago | (#31191090)

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

WHile I'm not sure how they would go about testing against future viruses, short of bringing Johnny Carson's Carnak out of retirement, you would think that at the very least they could add a rootkit scanner to the front of the update. That way the update could fail gracefully with a note explaining why it couldn't proceed, along with a list of steps necessary to get the system clean, and helpful telephone numbers to the three major credit bureaus . . .

Re:Broaden their test base (1)

courtjester801 (1415457) | more than 4 years ago | (#31191300)

They can't win this one. If they add what amounts to a minor virus scan to the start of any patch installation, you force the user to wait X+Y minutes and interrupting their work (or play, or whatever); If they don't, the end user only has to wait X minutes, but with a minor potential for a BSOD. I pity the person that does a fresh install and downloads all eleventy billion patches that require reboots in between.

Had the users done their own regular and updated virus scanning, this likely wouldn't have been an issue.

Re:Broaden their test base (0)

Anonymous Coward | more than 4 years ago | (#31191394)

did this TWICE this past month. Since they were well known brands without os install disks, doing a restore on them put them back to clean winxp sp2! This then required updating windows update, then 90ish patches, then sp3 update, then 60ish patches, then downloading ie8... and updates, and .net 1 and 3.5 and more updates and more updates and more reboots. Every hour or so for 4 evenings I hit update, then came back later. It took forever.

Re:Broaden their test base (0)

Anonymous Coward | more than 4 years ago | (#31191466)

My question is, why download the first 90ish patches at all? Just download the SP3 cumulative update. That right there would save you who knows how many restarts.

Re:Broaden their test base (1)

Jaysyn (203771) | more than 4 years ago | (#31191598)

Even better, slipstream the damn things with nLite.

Re:Broaden their test base (0)

Anonymous Coward | more than 4 years ago | (#31191668)

There are also mechanisms to be able to download all the patches up to a certain date, so an XP install can go like this:

Unplug box from LAN segment (or turn off wireless)
Install XP
Install SP3
Install patches
Install MSE
Install MBSA
Make sure firewall is up.
Plug box back into LAN segment.
Run MBSA to make sure that all system files are up to par. Since it uses a different mechanism than Windows Update to validate patch levels, one will be able to tell if something isn't patched or not.
Install apps, and go from there.
Optionally, have an external hard disk attached to the machine, so you can do a disk image of the system. This way, a subsequent reinstall is just a boot from recovery media and restore from image, as opposed to a time consuming reinstall.

Re:Broaden their test base (1)

Itninja (937614) | more than 4 years ago | (#31191514)

You need to learn how to slipstream all that stuff into one install disc. It's way faster...

Re:Broaden their test base (0)

Anonymous Coward | more than 4 years ago | (#31191952)

Did you miss the part where he pointed out that consumer PCs no longer ship with a copy of the OS installation media?

Re:Broaden their test base (1)

kent_eh (543303) | more than 4 years ago | (#31191998)

You need to learn how to slipstream all that stuff into one install disc. It's way faster...

Except he didn't have install disks

they were well known brands without os install disks,

Re:Broaden their test base (0)

Anonymous Coward | more than 4 years ago | (#31191660)

I didn't know there were 110,000,000,000 windows patches, but it wouldn't surprise me.

Re:Broaden their test base (1)

X0563511 (793323) | more than 4 years ago | (#31192254)

Apparently you know little about this rootkit.

It gets updated daily, sometimes more often. The crackers are working in realtime to keep it ahead of security.

Re:Broaden their test base (1)

dave562 (969951) | more than 4 years ago | (#31191872)

And how is that going work? They're going to ship out their patches on DVDs that you have to boot the machine from? People already bitch about having to reboot their servers once a month. Can you imagine having to physically visit every server with a DVD / USB stick? Give me a break.

Re:Broaden their test base (1, Funny)

timholman (71886) | more than 4 years ago | (#31191138)

Microsoft needs to start testing against all known (and future) viruses and other malware. It just makes sense.

Trivially done.

IF OS_VERSION = "Windows XP/Vista/7" then MALWARE_FOUND = TRUE.

Re:Broaden their test base (0)

Anonymous Coward | more than 4 years ago | (#31191228)

I don't usually use Microsoft products, but when I do, I run Windows 95.

Re:Broaden their test base (3, Funny)

zappepcs (820751) | more than 4 years ago | (#31191566)

Just have patches issued by McAfee and Symantec... that will fix the problem, for certain.

Most effective mechanism for making a safer 'net (5, Interesting)

Nzimmer911 (1553899) | more than 4 years ago | (#31191004)

I think that this approach should become the industry standard for retaliation against malware. What better way to force complacent users to cleanup their machines than to disable them? Less botnets = more bandwidth for the rest of us.

Huh? I thought Netcraft confirmed it was dead? (2, Funny)

Anonymous Coward | more than 4 years ago | (#31191008)

Huh? I thought Netcraft confirmed that BSD was dead. Oh waaaiiiitttt... BSOD
Ok nevermind

Good (1)

pwnies (1034518) | more than 4 years ago | (#31191012)

That seems a harsh way to find out that your Windows machine has been rooted.

Or a good way, as it will force people to find a way to fix it. Who knows, maybe it will even teach some people some things about the dangers of rootkits.

Re:Good (0)

Anonymous Coward | more than 4 years ago | (#31191202)

Unfortunately, it's equally likely to cause people to stop updating, which is an even worse problem.

Re:Good (2, Insightful)

mlts (1038732) | more than 4 years ago | (#31191800)

Even better, it gets the machine off the net, so other people are not victims of DDoS attacks, spam, automated scans, and other crap that might come from a botnet client.

I admit I sound like a jerk here, but I'd rather have a machine with a BSOD than a rootkitted box. Reinstalling or reimaging a machine may be a bit time consuming, but it is nowhere the time it would take to recover access to compromised bank accounts, Web accounts, gaming, and dealing with identity theft issues.

Dumbass users.. (0)

Anonymous Coward | more than 4 years ago | (#31191030)

Trying to blame Microsoft for their own fucktarded infections. Try not to click greetingcard.exe next time, Idiots.

Re:Dumbass users.. (1)

jimicus (737525) | more than 4 years ago | (#31191434)

I really do wish it was that simple.

The simple fact of the matter is that even with all the security turned on, even with all the updates being installed automatically you still can't avoid the odd rootkit. And there are several modern rootkits which are really hard to spot - most AV packages won't prevent them and they don't take over the machine to the point where you start to think "hang on a minute..... there's something wrong here".

Re:Dumbass users.. (1)

tigerhawkvok (1010669) | more than 4 years ago | (#31191742)

Really? I run mostly windows systems and haven't gotten a virus, rootkit, or other miscellaneous malware in years. It really is their own damn fault. But then, they're the same people who complain about having to give their programs permissions as administrators on Windows, but not OSX or Linux ...

Re:Dumbass users.. (4, Interesting)

jimicus (737525) | more than 4 years ago | (#31192252)

48 hours ago I was notified of a laptop with a rootkit.

And I can tell you now, that laptop wasn't running slowly.

It wasn't redirecting web requests.

It wasn't doing any of the things you might associate with rootkits. Yet replacing the AV with an alternate product and the alternate product detected several real issues.

Frankly, if I hadn't been notified by our bank (whose security company had managed to get a site shutdown and get a list of all potentially compromised accounts) I would never have had a clue. I concede that the user had admin privs on their laptop but I'm given to understand that even that isn't a huge barrier to a lot of modern rootkits. Thank Christ the bank in question doesn't allow you to do anything without the use of a separate security device they ship you.

Talk about a rock and a hard place. I can't trust the laptop at all, and it was infected while running a regularly-updated copy of Symantec AV Enterprise which suggests I can't necessarily rely on AV software to do what it says on the tin. Windows is obviously a lost cause unless I want to spend the rest of my live playing whack-a-mole yet I don't think the Powers that Be will stomach a move to Linux (even though most of them haven't used Windows-specific software in years).

Answers on the back of a postcard....

Re:Dumbass users.. (3, Insightful)

X0563511 (793323) | more than 4 years ago | (#31192272)

and haven't gotten a virus, rootkit, or other miscellaneous malware in years. ... that made itself known.

Re:Dumbass users.. (1)

tigerhawkvok (1010669) | more than 4 years ago | (#31192836)

With several different anti-malware solutions. (Including but not limited to ESET, NOD32, MS, Symantec, and occassionally Spybot/Hijackthis/etc), nor shown entries in autoruns/procexp/etc, or the ocassional outbound-traffic-analysis.

They can be pretty hard to detect, but one that evades all of that is kinda magical.

No Worries (1)

organgtool (966989) | more than 4 years ago | (#31191062)

That seems a harsh way to find out that your Windows machine has been rooted.

Don't worry, I'm sure the author(s) of the rootkit released a patch within 24 hours that automatically updated the infected machines to make the rootkit "compatible" with the security update.

Re:No Worries (1)

psyque (1234612) | more than 4 years ago | (#31191140)

and don't worry about downloading said update. They've already done it for you.

Re:No Worries (4, Funny)

snowraver1 (1052510) | more than 4 years ago | (#31191244)

Prompt, efficient and convienient! Where can I buy this Root Kit?

Re:No Worries (1)

psyque (1234612) | more than 4 years ago | (#31191294)

No purchase necessary. Free delivery right to your registry.

Re:No Worries (1)

mmontour (2208) | more than 4 years ago | (#31191976)

Prompt, efficient and convienient! Where can I buy this Root Kit?

Sony will sell you one although it's not 100% compatible with the industry-standard ones and it lacks the features of the rootkit described in this article. On the plus side, Sony bundles a free music CD with theirs.

(Yeah, I know they've allegedly stopped doing that. Never forgive, never forget.)

Don't worry (5, Informative)

wiredog (43288) | more than 4 years ago | (#31191088)

The malware has been updated [theinquirer.net] so that it won't cause a crash.

Re:Don't worry (3, Funny)

Megahard (1053072) | more than 4 years ago | (#31191410)

If people would keep their machines updated with the latest rootkit and virus patches then this wouldn't happen.

Zero-day (5, Funny)

Anonymous Coward | more than 4 years ago | (#31192084)

This was a zero-day exploit that the virus writers didn't know anything about.

They got the patch out as quickly as they could.

Re:Don't worry (0)

Anonymous Coward | more than 4 years ago | (#31191694)

Okay. So, where I can download the patch?

Surprisingly their QA labs are not infected (-1, Troll)

EMG at MU (1194965) | more than 4 years ago | (#31191118)

I'm sure M$ puts this stuff through a lot of QA to ensure they don't release a update that causes a BSOD on a clean machine. Given the amount of malware infected/rooted/fucked up WIN32 machines out there, I would half-expect part of their QA team to validate updates/programs on infected machines.

I'm also surprised that none of their QA labs are infected with this rootkit.

Re:Surprisingly their QA labs are not infected (1)

Dan Ost (415913) | more than 4 years ago | (#31191986)

I'm not. They probably wipe and reinstall all their lab machines every time they test.

I wonder who else is preparing a patch... (1)

TheNarrator (200498) | more than 4 years ago | (#31191150)

I wouldn't be surprised if the rootkit authors were at work on a patch for this BSOD. They will of course send it out via auto-update.

Well at least the Norfolk town IT can rest easy (2, Funny)

Parallax48 (990689) | more than 4 years ago | (#31191180)

Sounds like we found the explanation for the Norfolk issue:
http://news.slashdot.org/story/10/02/17/196230/Time-Bomb-May-Have-Destroyed-800-Norfolk-City-PCs-Data [slashdot.org]

Re:Well at least the Norfolk town IT can rest easy (1)

gimmebeer (1648629) | more than 4 years ago | (#31191422)

Drat. I came here to say this.

Be Gentle (4, Funny)

e2d2 (115622) | more than 4 years ago | (#31191196)

That seems a harsh way to find out that your Windows machine has been rooted.

What do you want? Some cuddling before breaking the bad news?

"Sweety.. you got rooted" .. as it goes in the _wrong_ hole.

bsod (2, Insightful)

confused one (671304) | more than 4 years ago | (#31191206)

That seems a harsh way to find out that your Windows machine has been rooted.

There are plenty of people who think that tracking down all the machines in these botnets and disabling them is a reasonable way of dealing with the problem.

Re:bsod (1)

characterZer0 (138196) | more than 4 years ago | (#31191448)

That is the only effective way of dealing with the problem.

The alternatives are to ignore the problem.

Re:bsod (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31191484)

I've read an article about this, it mentions the possibility of such a machine handling the life support systems in a hospital. Major lawsuit there.

Re:bsod (2, Insightful)

kent_eh (543303) | more than 4 years ago | (#31192098)

I've read an article about this, it mentions the possibility of such a machine handling the life support systems in a hospital. Major lawsuit there.

Yeah.
A lawsuit for whoever had an internet connected machine running a life-support system and set to auto-update.

Software updates on mission-critical systems should only happen manually, and after strict auditing.
I won't even bother addressing how much of a bad idea it would be to have a life-support machine able to access (or be directly accessed from) the internet.

ho8o (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31191332)

Can be like progRess. I8 1992, Believe their

Malicious Software Removal Tool (5, Funny)

HTH NE1 (675604) | more than 4 years ago | (#31191340)

So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?

Re:Malicious Software Removal Tool (3, Insightful)

lgw (121541) | more than 4 years ago | (#31191572)

I would hope so. But the malware removal tool runs last in the Windows Update process. I've never understood why.

Last October, Dude (3, Informative)

westlake (615356) | more than 4 years ago | (#31192080)

So is Microsoft rushing out an update to their Malicious Software Removal Tool to clean up this rootkit?

Virus:Win32/Alureon.A [microsoft.com] Definition: 1.69.77.0 Released: Oct 23, 2009

Re:Malicious Software Removal Tool (1)

drinkypoo (153816) | more than 4 years ago | (#31192298)

Note that this entirely insightful comment has been modded Funny, so that it will already be score 5 without the poster's karma being incremented, thus effectively preventing the karma boost. This is the new form of astroturfer mod trolling. Expect to see a lot more of it soon.

Re:Malicious Software Removal Tool (1)

HTH NE1 (675604) | more than 4 years ago | (#31192546)

I don't mind getting zero karma for it. Unfortunately, there are people (including personal friends) who use their settings to treat Funny mods as a -1 or less and thus won't read it.

Not tech people! (1)

EMG at MU (1194965) | more than 4 years ago | (#31191540)

"Its better they find out this way, than not at all" is not the correct reaction to this. This BOSD is going to happen to the layman a lot more frequently than a tech person. When a BSOD happens to a layman, they don't record the stop code and look it up to see what the error is. The layman will just take it to geeksquad/local tech kid/vendor tech support and say fix this its broken. They wont realize their machine was compromised. They wont change their computing habits so that their machines don't get infected in the future.

Assuming that the affected users will clean up their systems and become more secure is wishful thinking.

However (in a perfect world), if MS validated the files before patching/updating them, the user could be warned of their infection before their machine gets trashed. Maybe an error message saying "We detect that your machine is infected with a rootkit, all of your personal information is in danger of being stolen. Please install a firewall/update your browser/ run your AV". That way, instead of confusion and anger from a BSOD, the user will be educated and possibly secure their system.

Re:Not tech people! (3, Insightful)

lgw (121541) | more than 4 years ago | (#31191618)

Yes, your solution involving non-technical people reading the text of pop-up messages will surely work. Especially a message that looks exactly like some malware, and which they've likely been warned to ignore. The taskbar icon that was added specifically to warn people to "install a firewall/update your browser/ run your AV" didn't work, but adding yet another pop-up will surely work this time.

Re:Not tech people! (1)

tigerhawkvok (1010669) | more than 4 years ago | (#31191934)

You'd get mod points if I had them!

Re:Not tech people! (2, Insightful)

archangel9 (1499897) | more than 4 years ago | (#31191674)

Maybe an error message saying "We detect that your machine is infected with a rootkit, all of your personal information is in danger of being stolen. Please install a firewall/update your browser/ run your AV". That way, instead of confusion and anger from a BSOD, the user will be educated and possibly secure their system.

I see those words on the screen all the time. The problem is, they're delivered by cleverly-designed socially engineered Malware. The next generation of Malware will do the same thing and imitate the "new" default messages that Windows gives. How many people per day/week/month fall for the same "Your system is compromised, please click here and purchase this product" every day, regardless of the bad grammar and spelling contained in the message? As long as I've been in IT, there still isn't a good way to educate users that shirk off all personal responsibility and refuse to engage their thought processes when it comes to PCs. The world just keeps making better idiots.

Re:Not tech people! (1)

ColaMan (37550) | more than 4 years ago | (#31191712)

We detect that your machine is infected with a rootkit, all of your personal information is in danger of being stolen. Please install a firewall/update your browser/ run your AV"

Typical user response:

OMG WTF IS THIS SHIT I JUST WANT TO PLAY ONLINE POKER WHAT IS MICROSOFT DOING I DONT UNDERSTAND!?!?!

Re:Not tech people! (1)

EMG at MU (1194965) | more than 4 years ago | (#31191856)

While I think all 3 of you are accurate in predicting the typical user response, I still think a message clearly indicating what is wrong is still a lot better than a BSOD. There will always be users who disregard system messages, but I believe a warning message will educate more users than a BSOD.

Re:Not tech people! (3, Informative)

BradleyUffner (103496) | more than 4 years ago | (#31192200)

However (in a perfect world), if MS validated the files before patching/updating them, the user could be warned of their infection before their machine gets trashed.

Root kits are designed to hide their presence from the operating system. They can hook file system calls and return what looks like the proper version of the file to anything trying to read it. Once something is hooked into the machine at a low enough level the only way to detect it would be to boot from non infected start up disk and scan the infected volume.

BSOD (0, Flamebait)

jdcope (932508) | more than 4 years ago | (#31191656)

Now maybe MS can figure out which update is producing the BSOD on Win7 64bit machines.

Re:BSOD (1)

Skuld-Chan (302449) | more than 4 years ago | (#31191864)

I haven't seen this myself - and I have a lot of Windows 7 x64 machines :/.

Why it happens (0)

Anonymous Coward | more than 4 years ago | (#31191666)

Come off the high horses.

We all know that an OS resides in RAM rather than ROM for the sole purpose of making rootkits (by law enforcement etc.) possible.

Don't use old software (0, Troll)

Scarumanga (1022717) | more than 4 years ago | (#31191678)

One solution would be to not use ancient operating systems that are 10 years old.

rooted? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31191684)

People need to stop referring to Windows boxes as being rooted .... Windows does not, nor has it ever had, a root account.

Good Job, Microsoft! (2, Insightful)

Culture20 (968837) | more than 4 years ago | (#31191992)

And I mean that sincerely. Please BSOD more botnets.

But the fix will break Alureon! (1)

John Hasler (414242) | more than 4 years ago | (#31192008)

> Users affected by this problem can fix it by replacing the infected driver
> with a new one via the system console.

But that would break Alureon! Is an update available for it?

I remember.... (0)

Anonymous Coward | more than 4 years ago | (#31192138)

some dude saying that Microsoft products were safer [slashdot.org] because of people getting paid for and that kind of crap......i would like to see his face now

Finding out you were rooted (1)

stiggs (744750) | more than 4 years ago | (#31192190)

Is a value in and of itself. I have even more sympathy for those who have another rootkit, and have yet to find out, than I do for those who had a BSOD which caused them to either a) stop using their computer entirely and reformat or b) fix the BSOD and rootkit. Actually I have plenty of sympathy for both since I don't use Windows at all.

Why Isn't There A Good Botnet That Kills (0)

Anonymous Coward | more than 4 years ago | (#31192624)

bad botnets?

Hackers want to know.

Yours In Karachi,
K. Trout

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?