Rootkit blamed for Blue Screen patch update snafu The presence of a hard-to-detect rootkit may have caused Windows XP machines to freeze up after applying a patch from Microsoft last week, according to preliminary analysis of the problem from Microsoft's security team. Microsoft's users forums filled up with reports of Windows XP users experiencing the dreaded Blue Screen of …
Horse-hockey. This is where one needs a live CD one does.
In fact, someone (MS?) could provide a tool to do a deep scan of the fixed drives and report what it finds (such a thing may exist). This could then be used to remove the rootkit (Linux is perfectly happy to read NTFS amongst other file-systems, unlike Windows) and get the machine running again. Even if that fails, the Live CD session could be used to recover data prior to a re-install.
Of course, this would mean MS effectively having to crawl to the Penguin for help.
(snigger)
"Of course, this would mean MS effectively having to crawl to the Penguin for help.
(snigger)"
Nope - Microsoft have their own environment and have done since 2005. Called WinPE or WinRE. (Windows Preinstallation Environment or Windows Recovery Environment)
It's the foundation for the Vista and Windows 7 setup and also used extensively for Windows Deployment Services as well.
Don't need no daft named, terminal based open source muck here thank you.
The Live CDs run a full GUI and will automatically make available the fixed discs. Non need to touch the terminal if you don't want (fyi: you still need to use the command prompt in Windows by times).
Also there would be good reason to use a non-Windows based OS if you are attempting to remove code that is highly infectious to Windows. It did, after all, hose your current install.
Now, where can I get my WinPE/RE ISO? Oh wait, I can't; I need an MSDN TechNet sub or some such bollocks. Sucks to be a normal user I guess. So I'd have to use Bart's PE or get a Linux Live CD.
" will automatically make available the fixed discs"
As in it mounts the disks? Wow - big achievement. Guess what also automounts...?
"Also there would be good reason to use a non-Windows based OS if you are attempting to remove code that is highly infectious to Windows"
You do know what "ROM" stands for in CD-ROM? Same relevant parts apply to DVD's - it's not installing anything, and not starting anything from the infected system - so where's the risk again? Think it's going to destroy your free recovery DVD? Your point is moot.
"Now, where can I get my WinPE/RE ISO?"
Here: http://www.microsoft.com/downloads/details.aspx?FamilyID=C7D4BC6D-15F3-4284-9123-679830D629F2&displaylang=en
"Sucks to be a normal user I guess. So I'd have to use Bart's PE or get a Linux Live CD"
Yeah, because normal users often read the register, burn ISO's of BartPE (which I've used, and is rather good), and on a daily basis burn and boot a Linux Live CD.
Reality check?
"You do know what "ROM" stands for in CD-ROM?"
WinPE runs from CD-ROM? There was me thinking it first loads to RAM and then executes. But, wow. Runs straight from ROM, eh? No need for any runtime information? Gosh. And who said anything about CD-ROM? You can boot from a USB y'know....
Windows will have to be resident in RAM. Which means that sufficiently virulent rootkit could still hide/propagate (Windows being dumb enough to not only mount but auto-execute files). If you used Linux (or any other OS/non-Windows toolkit) the odds are very much greater that the rootkit is going to be royally stuffed, allowing it to be eradicated.
"on a daily basis burn and boot a Linux Live CD."
If their PC has just blue-screened and won't boot properly, there's worse things they could do.
Come off it, WinPE/RE is a true dog. I'm sure you're writing this just to buy an argument.
As I said in my posts elsewhere, this solution, at best, is barely better than nothing.
Essentially, Microsoft has never provided a decent and proper solution, fixing a really stuffed Windows O/S is little more than pot luck. When everything goes belly-up M$'s solution effectively is to format and reinstall.
Why is it pot luck you many well ask? Well, the reason is VERY simple, opening up the O/S to this sort of scrutiny makes it easier for peopled to bypass DRM, copyright licensing etc. etc. all of which requires the enormous obfuscating capability which Windows has in abundance.
Not only M$ hides stuff in Windows--registry and elsewhere--but most commercial programs also do so. Unfortunately this obfuscation ALSO makes it much easier for root kits viruses etc. to hide within the O/S.
I won't bore you with lessons on how Microsoft could easily have solved this problem with the use of authentication, encryption, Chinese 'fire' walls between the O/S, program and user files together with the use of file encapsulation and better file system etc.
Suffice to say, what Microsoft has done INTRINSICALLY makes it easy for ROOT KITS to HIDE in the O/S.
Why did M$ do it this way instead of doing it correctly? Einstein go home--even a person with a room temperature IQ knows this was done purely for commercial reasons--that of maximizing profit.
Protection of user's data files and the susceptibility of Windows to root kits, viruses etc. fell a long way short of that key commercial objective. Whilst necessary, these hundreds and hundreds of security patches which have needed to be installed in Windows are little more than window dressing in the big schema of things. Had appropriate engineering been used in the initial design of Windows, then most of them wouldn't have been necessary.
Right, Microsoft has made us users own the problem!
The problem is that affected machines are running Windows XP. Does it work on that?
This problem shows that the OEMs and Microsoft (their idea originally) have shot themselves in the foot. They are suggesting that you boot from the disc and perform a recovery, iirc, but the problem is Microsoft have encouraged OEMs not to supply Windows discs, instead encouraging them to rape, er charge the customer to purchase a disc instead. This leaves the customer up shit creek because it means they have to effectively reinstall the whole OS - that is if they made a recovery disc that most don't!!
Notice I called them customers? That is what they are. They consume nothing! They are customers as they BUY STUFF from the shops!
Microsoft provides tools to the OEM's to create a seperate partition with the factory image installed. This can be booted from the BIOS, including the OS's setup recovery tools. Therefore if the HD isn't fried - but just the Win32 partition - then the user can reinstall Windows or use the recovery tools to repair their installation. No disc required.
However MS haven't stopped any OEM from releasing media.
Yeah, I'm already aware of this, but the use of WinPE is restricted only to specific licence holders surely?
WinPE 1.3 EULA - eula.txt (Still valid for XP users I believe, versions beyond, I'm not sure)
"1. ELIGIBILITY.
You may only install and use the SOFTWARE PRODUCT if you are an active Microsoft Software Assurance Member ("SAM") for the systems product pool or servers product pool, if you currently have license coverage for Microsoft Windows operating system (OS) Upgrades via a Campus Agreement or School Agreement, or if you are a current or former participant in the Windows XP Joint Development Program, Windows XP Rapid Adoption Program, Windows .NET Server Joint Development Program, or Windows .NET Server Rapid Adoption Program. If you do not meet one or more of the requirements listed above, you may not install or use this SOFTWARE PRODUCT and you must terminate the installation of this SOFTWARE PRODUCT immediately"
This must be old as Campus Agreement doesn't exist anymore. That doesn't include a fat lot of people though, so unless there have been changes to this to allow SOHO users to create and use WinPE media without a Volume Licence, then again, a Linux Live CD is the only route, so to assist with recovering a home PC outside of work, I'd be breaking my Windows XP EULA. Sure, I can do it, but it's not entirely legal. (Anyone know if this has changed for Vista/7?) Using recovery partition/media is all well and good, but it nukes your data rather than assists in recovery. This said, and I'm sure most here will agree, not a lot of home users would even know what to do with a Linux Live CD. Some small offices with sysadmins might, medium size businesses, more likely, and enterprise almost certainly. A home user just wants a big fat red button that fixes everything. I would rather drop to a bash prompt and have a plethora of tools to do what needs to be done. And if at work, a Ghost disc usually comes in handy. At least I'm not left asking "Are we licenced for this?".
Oh right, so home users now have the appropiate licencing to create WinPE/WinRE discs? There was me thinking that WinPE was only for OEMs and WinRE was only available to those running XP Professional.
I'll stick with my Linux custom live CDs, ClamAV and a whole host of tools, without having to pay extra for the licencing or break the law. ;)
I'm a Windows sysadmin, and even I am all too aware that Linux, with the appropiate tools to hand, is better at fixing Windows than Windows is. DOS prompt just don't cut it anymore.
I'm getting pretty good at cleaning up infections. ClamAV only picks up files it has signatures from. You really need to work in the registry, that way you can clean out most things. Still there are worms like scribbler that you still have to format and restart. But hey you can do it all within linux.
Best of all automating any of your fixes is a doddle :-)
Obviously a Microsoft share owner talking!
...Anyway, WinPE/RE are dogs to use. That's why there are free third-party alternatives--BartPE et al, but even these are not very satisfactory as they're very slow and cumbersome.
That's why all my machines dual-boot to DOS and use FAT32 partitions (for the O/S only of course--data still lives in NTFS). I'm damned if I know how anyone does any serious maintenance work on Windows on a NTFS partition. One day I hope someone will enlighten me.
I simply can't understand how people use WinPE etc. They've obviously nine lives not to mention simple machine configurations. I've only one life unfortunately, wasting it spending time cranking up WinPE is something I can well do without.
Ok then.
"IF" it's true about the root kit cause then the next question(s)...
More than one root kit?
"WHO's" root kit(s)?
Hackers? Corporate ones? Both? We already know a certain Corporation, caughsonycaughcaugh, did it to it's customers willingly before...get were I'm going with this? Has some other corporation(any) committed an act of root kitting it's customers also. Has this patch stumbled upon it?
Right, damn vague isn't it? Where's the LEMON LAWS for software?
These bastards (and I'm not just talking about M$ here--it's many software vendors) hide behind compiled code and you haven't a clue what's happening with patches and fixes. Often functionality suffers or speed decreases and you're none the wiser until you come upon an unexpected gotcha--and then often you're not sure if its the original program and you've just noticed the problem of whether it's the patch.
When my car goes kaput service people tell me what went wrong and supply me with the dead part. But all we get from most software vendors is an EULA which goes on for hours about the company not being responsible for anything.
Copyright, patents etc. aren't just enough to satisfy this mob. How come the software lobby has the service angle and that they're not responsible for anything also sewn up with the regulators?
We really do need decent software lemon laws. Only then will these vendors take notice.
A colleague and I also had problems with our work machines (notebooks, running XP), both hanging when it gets to mup.sys. In my case it reported that I had to press "Escape" to stop SPTD.sys from loading, and then it would die a couple of seconds later (this was in Safe mode - in normal mode it would just start up the XP logo and die).
Six reboots and countless hitting of Esc finally got me up and running again. It seems that in my case Daemon tools was to blame - but it has been on this machine for more than three years (I inhereted the machine from a previous colleague) without causing any problems that I am aware of.
My colleague reported that a disk scan revealed some orphaned clusters. After cleaning it and running defrag he finally managed to boot normally.
No rootkits on our machines, though.
Uh oh. I have similar symptoms, but in my case it may be PGP Desktop that is causing the problem.
Still investigating. Unfortunately, when you boot in safe mode you can't access pgp desktop, and can't decrypt the HD. If you can't decrypt, you can't repair windows.
I am currently in the process of using a pgp emergency boot CD to decrypt and it is painfully slow. Over 12 hrs to decrypt, now it is taking hours more to find PGPWDE.
Fortunately, I have a fairly recent backup of the HD image
Once I have this fixed, I will likely disobey corporate instructions and not encrypt my HD.
12 hrs... A serious problem.
There is also an electromagnetic emission from your site, a nickel tea-pot near your monitor, your cat and dog and another alien stuff which nobody'd better know (-: Neither as about your information stored.
Why don't you call a cab to drive the data where necessary? Takes a couple of hours usually, and it's almost an unbreakable solution.
I think it's shocking that Microsoft don't test against ALL the leading rootkits. I mean, millions of people depend on these kits to protect their machines against all the other malware. How hard would it be for MS to set up a few machines, leave them exposed on the interweb for a few minutes to pick something up, and then roll those machine images into their test suite, hmm?
"However, who gave them the open window to enter with a rootkit?"
..Dunno same people for Linux?
http://linuxhelp.blogspot.com/2006/12/various-ways-of-detecting-rootkits-in.html
or Macs?
http://www.switchingtomac.com/tutorials/how-to-check-your-mac-for-rootkits/
feel free to search for others...
...so either the user is a knob and runs their machine perma-priv, or the user is a knob and clicks past the various warnings that Windows throws up - I've seen a Vista machine that appears to whinge about practically everything, the user clicky-clicky without bothering to read the message. I bet if a message popped up saying "TDSS rootkit will now be installed, turning your machine into a Zombie at the beck and call of nasty criminal types the world over" there would be a not insignificant number who "just click it away".
So, don't switch it off, just don't create any more restore points, if you want to maintain restore points but not delete the existing ones. Your inabillity to understand how a tool works doesn't mean that the tool is badly made. I daresay there would be people complaining that it didn't delete the existing restore points when you turned it off, if this were the way it behaved.
Ten machines (seven desk types; three netbooks) and no problems. Wish I knew what the frakk I did right. Or wrong as it were since so many far more intelligent and capable that me are having so many issues. I learned in corporate America we have no "problems" just "issues" and "opportunities".
Nobody likes the concept of cloud service from the architects. Almost.
'Cos' it's simplex, and this is not completely fair, as stated by the majors in 1106 PM session, and it doesn't offer/demand anything in common languages, neither in public, nor in private.
See http://a-pesni.golosa.info/drugije/vofran.htm
"Redmond's security team suggested on Thursday that users may want to hold off on the potentially troublesome MS010-015 update and apply a workaround for that particular problem instead."
They promise to update the patch so it's compatible with the rootkit as soon as possible.
It'll be the same 'silly-billies' that don't scan their systems frequently, don't backup their files frequently, don't follow safety protocols that an urchin could follow, etc. that have been hit with this problem. At this moment I'm thinking about all the millions of other XP users (including me) that really don't have problems like this and have never had...<smug>.
Regardless of what all the Penguin critics say, XP is a cracking OS ;-). Apply hardening, and all other security measures, use yer feckin head and it will serve you very nicely. There's not that much wrong with XP, just a lot of people hate its success, including, ironically, MS.
Stupid users = stupid mistakes, no matter what OS you're running.
I'm sorry, but I'm still not convinced that Microsoft can just blame these problems on a/ some mysterious, unspecified, rootkit(s) and walk away "washing their hands". Apart from the fact that Microsoft have shied away from stating categorically that this is the reason (danger of litiigation if it can be proved not to be so?), if the patch was intended to prevent said rootkit(s), surely they could have tried it on a few infected machines to determine the outcome BEFORE breaking a large number (and issue with a specific warning, if necessary)? (As an aside, I just wonder if anyone has been able to clearly demonstrate a rollback of the patch to fix a machine and then go on to show it clearly does NOT have a rootkit? That would be interesting!)
From my perspective, I've had to deal with a number of affected machines in recent days, at least some of which had up to date anti-virus software by Symantec, McAfee, F-Secure and others and which were set to receive regular signature updates. Are we saying that ALL of these vendors have software which is incapable of detectting a rootkit? Also, many of these machines could not be repaired by simply rolling back the patch - admittedly some had suffered from their owners (natural) desire to attempt to fix the problem which had made matters worse, but they can hardly be blamed for that!
I use both Linux and Microsoft software and have no axe to grind but, on this occasion have found it hard to defend Microsoft to angry customers who, while they may now have a machine which following rebuild is DEFINITELY clear from rootkits/ viruses/ whatever, are now also missing their precious data (irreplaceable photographs/ documents/ etc). Yes, you can be cynical and say they should have learned about backing things up - but they trusted Microsoft, and recommendations to "keep your machine safe - turn on automatic updates" and have been badly let down. Not good enough!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
