Posted by: Dan O'Connor
ms10-015, root kit, rootkit, tdss
After a lot of discussion on the sans diary ( sans.isc.sans.org ) it appears the MS10-015 rebooting machines have been traced back to a root kit (Tdss), more information about it can be found at http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html . Emergingthreats.net has had signatures since Oct & Jan 09 and from some of the reports out, the major AV vendors are able to detect it as long as it is not running on the infected OS.
Now it’s going to be a race between system administrators to apply the MS10-015 to detect the root kit and the malware authors to update it so the patch won’t cause the system to blue screen and reveal the infection.
The number of reports of users having issues with the blue screen is surprising, cases like this are excellent reasons to have effective NIDS deployed. Malware like Tdss needs to check in and when it does that it cannot hide anymore.
The full discussion is available here http://isc.sans.org/diary.html?storyid=8209#comment .