MS patch gets rooted

David Heath
Wednesday, 17 February 2010 10:30

Business IT - Security

Investigations have suggested that the recent blue-screen crashes after installing MS patches are the result of an existing root-kit.

A couple of days after releasing February's "Patch Tuesday" round of updates, Microsoft became aware of issues with a small number of customers experiencing blue-screen crashes of Windows XP and Vista; resulting in PCs that would not even boot in "safe mode."

Microsoft quickly determined that the patch in question was MS10-015 which relates to an Elevation of Privilege vulnerability and remove the patch from the update distribution servers.

It has now come to light that the actual cause of the Blue Screen crashes is a root kit called Tdss-rootkit (or trok_tdss.sme depending on which AV company you talk to) which was already present on the afflicted computers at the time MS10-015 was applied.

Tdss-rootkit binds itself to the file atapi.sys which is a driver file that Windows uses to connect to hard disks and similar devices - obviously this file loads very early in the boot sequence and thus is a very good place to hide a rootkit.

Microsoft has acknowledged that malware is a primary cause of the problem and has noted that, in order to get clean memory dumps of afflicted systems, their engineers have actually driven to the homes of affected people to ensure as much evidence is collected.

IT Professional Patrick W Barnes has identified the problem and offered simple instructions to repair the afflicted file.  Replacing the atapi.sys file fixes both problems - the blue-screens vanish AND the Rootkit is gone! 

Suggestions from many people to simply uninstall the patch will leave computer owners with two problems - the rootkit remains AND they are not protected against the issue addressed by the patch.

We await final word from Microsoft as to whether this is the only cause of the problem.