News Stay informed about the latest enterprise technology news and product updates.

Windows blue screen may be result of rootkit infection

Windows machines experiencing a Blue Screen of Death condition, after a Windows kernel patch is applied, may have an infection according to researchers investigating the issue.

A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by people who applied the latest round of Microsoft patches.

Atapi.sys is an important driver for all Windows systems and it loads very early during the boot process, so infecting this file can make it very hard to detect or remove the rootkit before it loads.
Patrick W. Barnes
Amarillo, Texas-based computer expert

Researchers investigating the issue have isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Patrick W. Barnes, an Amarillo, Texas-based computer expert who discovered the infection, posted instructions on how to repair the atapis.sys file.

"Atapi.sys is a good target for rootkits because it loads so early during the boot process," Barnes said in an email message. "Once loaded, the rootkit can defend itself, and once atapi.sys is loaded, it is hard to replace."

Barnes identified the infection as the Tdss-rootkit, which surfaced last November and has been spreading quickly, creating zombie machines for botnet activity.

"This particular rootkit can be very difficult to detect," Barnes said. "Atapi.sys is an important driver for all Windows systems and it loads very early during the boot process, so infecting this file can make it very hard to detect or remove the rootkit before it loads."

Microsoft Blue Screen of Death:
Microsoft blue screen affecting few corporate PCs:  Corporate PCs with standard configurations do not appear to be returning a Blue Screen of Death, despite reports of the issue related to Microsoft's latest round of patches. 

Microsoft halts MS10-015 automatic update and continues investigation. 

If you are running Windows and have not yet applied this update, make sure you scan your computer thoroughly for infections before applying this update," Barnes wrote in a blog post. "If you are experiencing this problem, get your computer to a professional that can replace the infected atapi.sys and clean any other malware from your computer."

Microsoft issued a statement late Thursday acknowledging the issue. Jerry Bryant, senior communications lead at the Microsoft Security Response Center, said engineers were investigating the matter. The software giant halted the automatic release of MS10-015, a bulletin that repairs two Windows kernel vulnerabilities, pending the outcome of the investigation, he said.

"We have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software," Bryant wrote in a blog entry on the MSRC blog.

Rootkits are fairly common. They are installed by attackers who first gain access to the machine by exploiting a vulnerability. Once inside, the rootkit is deployed giving the attacker the ability to mask intrusion and gain root or privileged access to the computer. It can also be a package of spyware programs that monitor traffic and record keystrokes. Antivirus vendors typically have trouble detecting rootkits. Microsoft and F-Secure offer applications that can detect their presence.

Patching experts at several vulnerability management vendors reported few problems with the latest round of patches. Corporate patch deployments go through a more rigorous testing process and most enterprise PCs have standard configurations and up to date security software, which may result in fewer blue screen issues, they said.

"We have no customers reporting this issue back to us, but we're well aware of what's happening here," said Jason Miller, data and security team leader, at St. Paul, Minn.-based Shavlik Technologies Inc. "We'll probably be seeing this more on the home side rather than on the corporate side."

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.