Newsletter Archives

• Alureon rootkit tops the list of malware caught this month

  Posted on May 24, 2010 at 22:13 CDT by woody • Comment in the Forums

  See the details in my new InfoWorld Tech Watch blog.

  Windows Patches/Security Alureon, malware, Microsoft Security Essentials, rootkit, Windows XP

• MS10-015 Blue Screens due to TDL3 rootkit infection

  Posted on February 18, 2010 at 05:05 CST by woody • Comment in the Forums

  Fascinating.

  Last week I wrote about Microsoft’s security patch MS10-015 causing Blue Screens of Death on some machines: if you install MS10-015/KB 977165, or it gets installed for you, your machine may BSOD on reboot. Every reboot.

  Marco Giuliani on the Prevx site has this explanation:

  TDL3 rootkit looks incompatible with MS10-015 update. This is the cause of the BSOD. Problem resides in the lazyness of rootkit writers when writing the driver infection routine.

  When the rootkit dropper is run, the infection calculates the RVA offsets of some Windows kernel APIs and hard code them so that at every restart the portion of the rootkit loader injected inside the infected driver can use these offsets to immediately calculate the address of the wanted functions.

  This worked well until the MS10-015 update, when Microsoft updated Windows NT kernel. This update changed those offset values and consequently broke the rootkit code. When the update procedure is finished, system is restarted. At system restart, the rootkit code tries to call a non-valid address and this causes the BSOD.

  Good news is that TDL3 authors care about us and they released in a couple hours a new updated version of the rootkit compatible with the Microsoft patch.

  Windows Patches/Security BSOD, KB 977165, MS10-015, rootkit