WinXP MS10-015 Restart Issues - Rootkit

Tagged: windows, Software
Source: threatpost - Read the full article
Posted: 6 years 35 weeks ago

Microsoft on Thursday confirmed that the blue screen of death issues that affected a slew of users after the latest batch of Patch Tuesday updates is the result of an existing infection by the Alureon rootkit.

There was widespread speculation after the patch release that simply installing the MS10-015 update was causing the BSOD condition on some Windows 32-bit machines. However, Microsoft said at the time this was not the case and started an investigation into the problem. In an advisory released Thursday, the company said that it now was confident that the restart problem is being caused by the Alureon rootkit.

"After extensive testing, Microsoft has confirmed that the restart issue is a result of Alureon rootkit infections," Microsoft's Jerry Bryant, senior security communications manager lead, said in a statement.

Alureon is a sophisticated malware package that comprises a number of components, including a rootkit, search hijacking functionality and the ability to modify DNS settings. One of the changes it makes when it's installed is a modification to a specific driver.

"For the most common system configuration (for machines using ATA hard disk drives) , the ATA miniport driver ‘atapi.sys’ is the file which is targeted.

While the concept of modifying Windows system files as part of an installation method is not new, it is not a common approach. The file modification performed by Alureon overwrites the data in the target driver’s resource section with its own code. The entry point of the driver is modified to point to this code. By doing so, the malicious code is executed when the driver is loaded by the operating system," Microsoft's Scott Molenkamp wrote in a blog post on the MS10-015 issues. "As part of the February security updates, an update (MS10-015) resolving a vulnerability in Windows Kernel was released. This update included a new operating system kernel. Inspecting the updated kernel at the same VA, we observe that this address no longer corresponds to the start of the “ExAllocatePool” API. In the updated kernel, the VA of “ExAllocatePool” has changed. Therefore, after applying MS10-015, Alureon will now be attempting to make an invalid call."

That results in the BSOD or a system hang. Users affected by this problem can fix it by replacing the infected driver with a new one via the system console.