Woody Leonhard’s no-bull news, tips and help for Windows and Office
RSS icon Email icon Home icon

  • MS10-015 Blue Screens due to TDL3 rootkit infection

    Posted on February 18th, 2010 at 05:05 woody 15 comments

    Fascinating.

    Last week I wrote about Microsoft’s security patch MS10-015 causing Blue Screens of Death on some machines: if you install MS10-015/KB 977165, or it gets installed for you, your machine may BSOD on reboot. Every reboot.

    Marco Giuliani on the Prevx site has this explanation:

    TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

    When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

    This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

    Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

    Windows Patches/Security , , ,
     

    15 responses to “MS10-015 Blue Screens due to TDL3 rootkit infection”

    1. Susan Wolf February 18th, 2010 at 05:52

      The articles I’ve read say the BSOD is only (mainly) found on computers running XP. One says that Microsoft has yanked the patch until further notice.

      http://www.theinquirer.net/inquirer/news/1592421/microsoft-security-patch-flaw-plugged-hackers

      http://news.techworld.com/security/3212888/hackers-fix-malware-behind-windows-xp-bsod/

      Isn’t Windows 7 supposed to be immune from rootkits?

    2. rc primak February 18th, 2010 at 12:05

      I saw another report which labeled the infection TDLS. Possibly a new variant? These types of rootkits have been around for awhile. It seems strange that the AV companies have yet to eradicate them. How nice of the rootkit writers to offer an update to avoid the BSOD.

    3. Marty February 18th, 2010 at 23:18

      Woody,

      Can you point your readers to a reliable website that will check for (and remove) this rootkit? Thanks.

    4. woody February 19th, 2010 at 00:45

      RC -

      Different name, same basic idea. TDL3 is morphing almost daily.

    5. woody February 19th, 2010 at 00:46

      Susan -

      I wouldn’t say that Win7 is “immune” but I would say it’s an order of magnitude harder to write a rootkit for Vista than for XP, and another order of magnitude harder for Win7. Yes, both TDL3 and the BSOD seem to be confined to WinXP machines.

    6. woody February 19th, 2010 at 00:48

      Marty -

      I don’t have an infected machine, but Hitman Pro seems to be well regarded.

    7. sanda February 19th, 2010 at 03:12

      I have almost no understanding of all this. I have XP and am waiting for Woody’s OK to install patches, as usual. (I did slip during the last scare of virus….)

    8. Russell February 19th, 2010 at 04:58

      Important news: http://blogs.zdnet.com/microsoft/?p=5314

    9. EP February 20th, 2010 at 01:32

      @Susan: Microsoft has NOT completely removed the KB977165 security update off their web site. It may not be currently available from windows update for Windows 2000/XP. However when I used the Windows Update feature on my mom’s Vista laptop yesterdat, it DOES offer the Vista version of the KB977165 update but it was NOT selected (checkbox was UNchecked). Also the KB977165 updates are still available for download at the Microsoft Download Center.

      @Woody: My cousin who resides in San Diego told me yesterday that the KB977165 update put his XP computer out of commission (ouch!). He had to do a “repair” installation of XP just to undo the mess KB977165 caused.

    10. H Davis February 22nd, 2010 at 09:47

      My Windows Update is set to notify me but not download or install automatically. I installed all the Feb updates for my XP but unchecked the offending patch. Windows Update still shows the shield saying this update is available for download and install. Some have said that this update was withdrawn but it still shows on my machine as available and ready to download. If I check the box telling it not to notify me of this update again I might miss the updated patch. How can I tell when the “fixed” patch is available?

    11. woody February 22nd, 2010 at 22:03

      H -

      I’ll let you know. But there’s no need to install it anyway. Wait for the all-clear…

    12. woody February 22nd, 2010 at 22:05

      Sanda -

      Hang tight.

    13. rc primak February 23rd, 2010 at 05:25

      @Russell –

      Thanks for the update. But this rootkit morphs so often that I would not rely solely on a Microsoft removal tool, unless we all install and update Microsoft Security Essentials, which presumably can catch the rootkit and undo the damage before we go to MS Updates. Hence, no more Blue Screen problem. Or so one hopes.

    14. Ed P March 1st, 2010 at 02:09

      Just got off the phone (about an hour-long session) with a MS Customer Support tech.

      My system would not function with cumulative update KB977165 (MS10-015) installed, as on re-boot “Windows Explorer Stopped Working” pops-up and goes into a loop of attempting to restart Windows Explorer…forcing a System Restore (and restart) to make the system functional.
      I scanned my ststem with MSSE and the Kaspersky TDSSKiller (for a rootkit infection) and both finished clean.

      The MS tech said that MS10-015 has known problems (beyond the BSOD issue if your system is infected with a rootkit virus).

      MS10-015 may be re-offered (after MS determines a fix) at a later date.

      Both offending updates MS10-002 and 015 are now “hidden” in my Windows Update.

      Bottom line, beware of MS10-015, it has (serious) issues, even if your system is not infected with a rootkit virus.

      Also MS10-002 has known issues (IE patch).

    15. woody March 1st, 2010 at 21:30

      Ed -

      Sage advice…

    Leave a reply

Search

Ads by Google

Windows and MS Office books by Woody Leonhard

Support AskWoody.com
Click on this list to get Woody ’s books at Amazon.com



More Ads by Google

 

February 2012
M T W T F S S
« Jan    
 12345
6789101112
13141516171819
20212223242526
272829  
Powered by WordPress
Theme designed by My Mobiles, modifications by PapayaSoft