The first good BSoD

Mock up BSoD from TDSS rootkit

Perhaps this title should read “Blue screen of blessing.” Yes, you are reading that correctly. BSoDs can occasionally have a back-handed benefit.

Last Tuesday after Microsoft released its latest batch of patches, complaints started streaming in that there was a QA problem, and that Microsoft’s patch to the 16-bit NTVDM vulnerability (MS10-015) was causing computers to crash.

Microsoft quickly pulled the patch from the automatic deployment area of Windows Update to look into the complaints. This week they published a detailed analysis of what was actually causing MS10-015 to crash some computers. It was a rootkit that Microsoft calls Alureon and Sophos identifies as MAL/TDSSRt-A and MAL/TDSSPk-C.

How did this happen? Rootkits like TDSS are very low-level alterations to the Windows operating system and often require knowledge of what address a specific component of the kernel resides at in memory.

This rootkit expected certain parts of Windows to be in certain locations in memory. When Microsoft released the fix for this 17-year-old bug, the location of the Windows kernel driver API that TDSS depends upon changed locations. When a machine is rebooted to apply the fix, the rootkit tries to modify memory that is no longer the part of Windows that it targets.

Result? Blue Screen of Death. Of course, many users infected by this rootkit have no idea that they are infected, creating a lot of confusion and causing a lot of blame to be directed at Microsoft.

While I never like to see innocent people’s computers rendered inoperable, I still look upon this issue as a good thing. I am of the opinion that, as with many medical conditions, it is better to know you are sick and start taking appropriate measures than to blindly continue harming yourself.

The velocity of the cat-and-mouse game continues to increase, unfortunately, and the authors of TDSS seem to have patched it to be compatible with the new MS10-015 patch. Assuming Microsoft soon adds the patch back into the automatic category, most machines will likely have had their rootkit updated to now be compatible, especially if they are online often enough to receive Windows updates automatically.

No more BSoD, which of course means users no longer get a heads-up that their computers are still being monitored by this insidious malware. If you are unsure as to whether your computer may be infected by TDSS, I recommend downloading our free tool for Computer and Network Security Scans and Sophos Anti-Rootkit.