Posted by: kurtsh | February 20, 2010

INFO: The Final Word on the “Blue Screen” effect of MS10-015 a.k.a. Patch 971486

image The bottom line is that people whose computer fail after applying patch 971486 were unknowingly infected with the Alureon rootkit.  No Windows 7 x64 or Windows Server 2008 R2 (x64) installations were affected.  This was the conclusion of the Microsoft Security Response Center, the braintrust of the best minds that Microsoft has in antimalware, security, & PC protection. 

SUMMARY:
Applying the patch for the vulnerability known as “Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)” will cause a "bug check” or a “blue screen” when the Alureon rootkit is installed on your machine.

Windows 7 x64 or Windows Server 2008 R2 (x64) are not effected due to kernel-level rootkit detection built into those products.

The Microsoft Security Response Center (MSRC) wrote a very detailed explanation of their testing methodology and how they’ve arrived at the conclusion that the people affected are victims of “Alureon rootkit infection” but just didn’t know it until today.

Update – Restart Issues After Installing MS10-015 and the Alureon Rootkit

Posted Wednesday, February 17, 2010 6:29 PM by MSRCTEAM

Hi,

We wanted to provide you with an update on our ongoing investigation into the “blue screen” issues affecting a limited number of customers who installed MS10-015.  We have been working around the clock with our customers, partners and several teams at Microsoft to determine the cause of these issues.  Our investigation has concluded that the reboot occurs because the system is infected with malware, specifically the Alureon rootkit.  We were able to reach this conclusion after the comprehensive analysis of memory dumps obtained from multiple customer machines and extensive testing against third party applications and software.  The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state.  In every investigated incident, we have not found quality issues with security update MS10-015.  Our guidance remains the same: customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.

Customers continue to emphasize the importance of quality updates, and that high quality updates encourages quicker deployment.  While the issue customers are experiencing with MS10-015 was caused by a malware infection and not a problem with the security update, we wanted to use this event as an opportunity to explain why this issue was not caught during testing, and how we respond to reported issues in our security updates.

This issue was not caught as part of our testing because oftentimes when malware is present, infected systems are put in an unstable state.   These types of infections often leave the machine in such an unstable state that it cannot be reliably tested.   This is because Malware writers use unsupported and potentially destabilizing methods for compromising machines because they want to keep their malware hidden from anti-malware software. In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded.  The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine.  Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed.  On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.

Microsoft has taken steps to deter tampering with the Windows Kernel using technologies like Kernel Patch Protection (sometimes referred to as PatchGuard) and Kernel Mode Code Signing (KMCS), both of which are enabled in 64-bit systems.  These technologies make it possible to detect when integrity checks fail. The different versions of Alureon that we have investigated only infect 32-bit systems and would fail to infect 64-bit systems. That said, it is important to note that running as a standard user instead of using an administrator account is a best practice that in most cases will prevent kernel mode malware from infecting a system. Similarly, keeping anti-virus signatures current will also prevent most malware from infections. Additionally, since we have determined that 64-bit systems are not affected, we are opening Automatic Updates for these platforms.

Customers who are interested in additional technical details of what the Windows Kernel is can learn more here.

…more available at source

FULL ARTICLE:  Update – Restart Issues After Installing MS10-015 and the Alureon Rootkit
http://blogs.technet.com/msrc/archive/2010/02/17/update-restart-issues-after-installing-ms10-015-and-the-alureon-rootkit.aspx


Categories

%d bloggers like this: