Wednesday, February 17, 2010
The Microsoft Security Response Center (MSRC)
Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit. We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software. The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state. In every investigated incident, we have not found quality issues with security update MS10-015.
This issue was not caught as part of our testing because oftentimes when malware is present, infected systems are put in an unstable state. These types of infections often leave the machine in such an unstable state that it cannot be reliably tested. This is because Malware writers use unsupported and potentially destabilizing methods for compromising machines because they want to keep their malware hidden from anti-malware software. In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded. The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine. Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.
Read more
According to security vendor Prevx, which names the rootkit TDL3/TDSS, the malware authors have released a new updated rootkit version compatible with the Microsoft patch. Too bizarre but anyway, MS10-015? TDL3 authors “apologize”
