Blue screen issues tied to deployments of Microsoft’s Windows kernel patch is the result of the Alureon rootkit.
Microsoft issued the results of its investigation into a number of people reporting a Blue Screen of Death condition after deploying its February batch of patches, finding ties to a specific patch and malware infected machines.
Engineers at the software giant confirmed the blue screen is tied to the deployment of MS10-015, a Windows kernel patch that repairs two longstanding kernel vulnerabilities. Machines that have the blue screen condition are infected with the Alureon rootkit, a family of data stealing Trojans that allow an attacker to intercept a computer’s Internet traffic in order to steal user names, passwords and credit card data. The rootkit gives Alureon the ability to avoid detection, allowing it to perform malicious routines uninterrupted. Microsoft said it can also hide files and disk sectors.
“The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state,” said Mike Reavey
Director of the Microsoft Security Response Center in a MSRC blog entry. “Customers should continue to deploy this month’s security updates and make sure their systems are up-to-date with the latest anti-virus software.”
Shortly after Microsoft released its updates Feb. 9, customers began reporting sporadic machines being blue screened after deploying the patches. Patching professionals and patching experts from several vulnerability management vendors said few corporate deployments were reporting the condition.
Microsoft halted its automatic release of MS10-015 pending the results of its investigation. Patrick W. Barnes, an Amarillo, Texas-based computer expert was the first to discover a rootkit infection.
Reavey further explained the cause of the blue screen:
In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded. The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine. Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.
The only way to repair the problem, according to Reavey is to reinstall Windows. But Reavey said a simpler solution to detect and remove Alureon is being developed and could be available in a few weeks.