Hackers behind the rootkit responsible for crippling Windows machines after users installed a Microsoft security patch have updated their malware so that it no longer crashes systems, researchers confirmed.
The rootkit, known by a variety of names — including TDSS, Tidserv and TDL3 — was blamed by Microsoft last Friday for causing Windows XP PCs to crash after users applied the MS10-015 security update, one of 13 Microsoft issued a week ago.
Within hours of that update's release, users flooded Microsoft's support forum, reporting that their computers had been incapacitated with a Blue Screen of Death (BSOD). Earlier, Microsoft has stopped shipping the MS10-015 update, which users had linked to the BSODs, and said it was investigating.
Security researchers today said that the makers of TDSS have updated the rootkit so that it no longer conflicts with MS10-015. “The update day before yesterday prevents PCs from getting stuck in the BSOD loop,” said Roel Schouwenberg, a researcher with Moscow-based antivirus vendor Kaspersky.
Marc Fossi, a manager of development with Symantec's security response team, said his researchers are also digging into the latest update of the rootkit. “We're still in the process [of investigating], but it does look like the rootkit update is trying to eliminate the conflict that causes the blue screens,” Fossi said. The rootkit, which Symantec pegs as Tidserv, updates itself via a “phone home” feature, said Fossi.
The rootkit's authors have reason to hustle out an update, said Schouwenberg and Fossi, who explained that blue-screened PCs are as worthless to the hackers — who want access to the machines — as they are to their owners. Worse, the BSODs have revealed to many Windows users that their systems were infected.
“The rootkit exists to be on the system and evading detection,” noted Fossi. “On the plus side for users, this incident has helped people discover that they had this running on their computers.” And that can't please the hackers.
Using Linux to back out a Windows XP patch Although Microsoft said today it has not wrapped up its investigation — and so has not definitely laid complete responsibility on the rootkit — Schouwenberg and Fossi said most researchers are convinced that the vast bulk of the BSOD reports were due to the malware. “If a computer has this rootkit and the MS10-015 update is installed, it will blue screen,” said Fossi.
Schouwenberg noted that rootkit-infected machines running any flavor of Windows will crash when the MS10-015 update is applied. “This affects every version of Windows,” he said, including Vista and Windows 7. “The reason why it's been reported as a Windows XP problem is that the vast majority of infected machines are running XP,” Schouwenberg said.
There have been scattered reports on Microsoft's support forum from Vista and Windows 7 users who now have crippled computers.
Symantec has posted a workaround for people who have a blue-screened PC that involves replacing the rootkit-infected driver with a clean copy, while Kaspersky has posted a free utility that seeks out and destroys the rootkit (download .zip file for Windows PCs).
Microsoft has not yet restored the MS10-015 patch to Windows Update, so users can safely download and install all remaining updates issued last week. “Automatic Updates for MS10-015 will remain disabled until our investigation into the restart issues is complete,” Jerry Bryant, a senior manager with the Microsoft Security Response Center, said in an e-mail.