Thursday, February 18, 2010

Alureon/TDSS Rootkit and Restart Issues After Installing MS10-015

In an update regarding the restart issues after Security Bulletin MS10-015 (KB977165) is installed, Microsoft reported that the reboot occurs because the system is infected with malware, specifically what Microsoft refers to as the Alureon rootkit. The Alureon rootkit is more commonly known in the security community as the TDSS/Tidserv rootkit.

Although instructions are available for using the Recovery Console to uninstall KB977165, that method does not remove the rootkit, leaving the system severely compromised. To illustrate the type of control over the computer the rootkit has, as reported by Marco Giuliani in the Prevx Blog, the TDSS/Tidserv rootkit authors have already pushed an update taking care of the MS10-015 BSOD (blue screen of death):
"All TDL3 droppers have been server-side rebuilt every day during November, December, January and February. This allowed the authors to break weak signatures or badly written generic detection routines. Actually this was the only effective obstacle, otherwise only really few specific anti-rootkits are able to detect the infection when active.

Even the rootkit itself has been updated and armored, to defense itself against the attack of a number of anti-rootkit specific tools. It's funny following the full story of the rootkit, because it looks like a nice chess game between security vendors and malware authors. It's one of the few times you can see a team of rootkit writers counteracting almost in real time to security vendors.

We already knew the rootkit is able to infect a system driver and to filter every disk I/O request by applying a strong filtering mechanism. Now the rootkit added a watchdog thread able to prevent any change to the service registry key related to the infected driver.By doing so, it is able to block some basic cleanup tools.

Another self defense feature added to the rootkit is that no one is anymore able to get a handle to the infected driver file. By doing so, the rootkit is preventing some cleanup tools to read the content of the file. Prior versions of the rootkit allowed to read the infected file, though they were showing the clean copy of it. This trick was used by some security tools to recover the original clean copy of the file to restore."

If you have encountered this reboot issue after installing MS10-015, it is highly recommended that the you back up important files and completely restore the system from a cleanly formatted disk. For assistance, see these Microsoft Help & How-to articles:
To determine if your computer is infected, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, the Windows Live OneCare safety scanner or ESET Online Scanner.

In the event you are unable to locate the Windows XP CD or DVD and do not have the recovery console installed, free assistance is available form Microsoft by calling 1-866-PCSafety (1-866-727-2338) or from https://consumersecuritysupport.microsoft.com. International customers can find local support contact numbers here: http://support.microsoft.com/common/international.aspx.

Although with a rootkit re-installing the operating system is the recommended safe method for recovery, an alternative option if you have lost the installation media is the Kaspersky TDSS Killer tool.

References:

Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Updates, Vulnerabilities, Information



Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

No comments: