14 DAY TRIAL // Microsoft starting to serve the February 2010 security updates to customers running its products was just the first move in what has become an interesting game of chess between the company and malware authors. The Redmond company moved first, with the release of the MS10-015 (KB977165) patch, among the many security bulletins offered this month. The second move also belonged to Microsoft, as the company pulled MS10-015 from Automatic Updates after reports of Windows XP SP2 and SP3 PCs where crashing with Blue Screen of Death (BSOD) errors, and becoming un-bootable.
Malware authors took the stage next, with an update pushed to Alureon, a rootkit which had infected all the machines that experienced crashes. The Alureon rootkit infections have been confirmed by various members of the security industry, including by Microsoft, as the real cause of the Blue Screen errors and the crashes. Following the update delivered to Alureon, the rootkit is no longer incompatible with MS10-015.
“On Wednesday, February 10th, we became aware of reports regarding Windows XP SP2 and SP3 systems becoming unable to restart successfully after the installation of MS10-015,” noted Mike Reavey, director, MSRC. “This past weekend, we worked with the Microsoft Malware Protection Center (MMPC) on the systems that were delivered to Redmond last Friday, and confirmed that all of the affected systems had the Alureon Rootkit installed.”
Users were quick to blame Microsoft for their problems as MS10-015 indeed appeared to be responsible. Of course, with additional info made available, all Windows customers that rendered their computers unusable after installing MS10-015 (KB977165) are now aware that they were infected with the Alureon rootkit.
“In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded. The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine. Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function,” Reavey explained.
What is critical to note is that if customers had been running the 64-bit editions of Windows 7 or Windows Vista such an infection could have never happened. This because, starting with 64-bit XP SP1 and Vista, Microsoft introduced a number of mitigations designed to protect the Windows kernel from tampering. Technologies such as Kernel Patch Protection (PatchGuard) and Kernel Mode Code Signing (KMCS) present in 64-bit systems, including Windows 7, stop Alureon infections dead in their tracks.
“These technologies make it possible to detect when integrity checks fail. The different versions of Alureon that we have investigated only infect 32-bit systems and would fail to infect 64-bit systems. That said, it is important to note that running as a standard user instead of using an administrator account is a best practice that in most cases will prevent kernel mode malware from infecting a system. Similarly, keeping anti-virus signatures current will also prevent most malware from infections. Additionally, since we have determined that 64-bit systems are not affected, we are opening Automatic Updates for these platforms,” Reavey added.