The rootkit patch is not a friend!

    On Tuesday, last week, an unscheduled update from Microsoft came out, under the number MS10-015 . This patch fixed a vulnerability that allowed locally increasing its privileges, and made modifications directly to the OS kernel. This update caused quite unforeseen consequences - some users experienced problems after installing it. More specifically, after rebooting the system, which is required to install this update, a critical error began to appear in one of the system drivers, which later demonstrated BSoD.

    image

    On the Microsoft side, this situation caused some bewilderment, since before the release of the update, they pass rather stringent testing. But, as it turned out in the course of the internal investigation, the TDSS rootkit was the culprit in its last reincarnation, which infected the driver, and because of incompatibility with the modifications introduced into the kernel, a critical error appeared. By the way, the rootkit could infect other system drivers as well.

    Let's take a closer look at what happened, and for what reason BSoD arose. So, we are talking about the latest modification of the TDSS rootkit, which has been actively distributed on the Internet for quite some time. But why is this error happening?
    The answer turned out to be quite simple: the rootkit uses implicit calls to WinAPI functions and looks for them by the offset in memory, but during the update there were modifications that changed the code located at other RAM addresses. This was the cause of the critical error.

    image

    image

    According to representatives of Microsoft, the problem with this error was manifested exclusively on 32-bit operating systems. And as arguments, information was given about the impossibility of downloading unsigned drivers in 64-bit versions of Vista and Win7. All this is also understandable, since the rootkit makes modifications directly to the driver, the digital signature no longer passes verification, and the driver cannot be loaded.

    According to our data, the activity of infected users with the TDSS rootkit after the release of this update sank quite strongly, which forced attackers to release an updated version with the fix for this error. The cybercriminals ironically approached the update of their brainchild, and in one of the configuration files this malware came across the following line of obscene content: “F * ck damnation, man! F * ck redemption! We are God's unwanted children! ” .

    The emerging situation has demonstrated that the number of users infected with this rootkit is quite large. Moreover, the concentration of victims in the United States is by no means small. Perhaps this is what prompted a quick reaction and investigation of the incident by Microsoft.

    Also popular now: