A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by people who applied the latest round of Microsoft patches.
Researchers investigating the issue have isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Patrick W. Barnes, an Amarillo, Texas-based computer expert who discovered the infection, posted instructions on how to repair the atapis.sys file.
"Atapi.sys is a good target for rootkits because it loads so early during the boot process," Barnes said in an email message. "Once loaded, the rootkit can defend itself, and once atapi.sys is loaded, it is hard to replace."
Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity.
"This particular rootkit can be very difficult to detect," Barnes said. "Atapi.sys is an important driver for all Windows systems and it loads very early during the boot process, so infecting this file can make it very hard to detect or remove the rootkit before it loads."
If you are running Windows and have not yet applied this update, make sure you scan your computer thoroughly for infections before applying this update," Barnes wrote in a blog post. "If you are experiencing this problem, get your computer to a professional that can replace the infected atapi.sys and clean any other malware from your computer."
Microsoft issued a statement late Thursday acknowledging the issue. Jerry Bryant, senior communications lead at the Microsoft Security Response Center, said engineers were investigating the matter. The software giant halted the automatic release of MS10-015, a bulletin that repairs two Windows kernel vulnerabilities, pending the outcome of the investigation, he said.
"We have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software," Bryant wrote in a blog entry on the MSRC blog.
Rootkits are fairly common. They are installed by attackers who first gain access to the machine by exploiting a vulnerability. Once inside, the rootkit is deployed giving the attacker the ability to mask intrusion and gain root or privileged access to the computer. It can also be a package of spyware programs that monitor traffic and record keystrokes. Antivirus vendors typically have trouble detecting rootkits. Microsoft and F-Secure offer applications that can detect their presence.
Patching experts at several vulnerability management vendors reported few problems with the latest round of patches. Corporate patch deployments go through a more rigorous testing process and most enterprise PCs have standard configurations and up to date security software, which may result in fewer blue screen issues, they said.
"We have no customers reporting this issue back to us, but we're well aware of what's happening here," said Jason Miller, data and security team leader, at St. Paul, Minn.-based Shavlik Technologies Inc. "We'll probably be seeing this more on the home side rather than on the corporate side."