Microsoft smacks patch-blocking rootkit second time

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

According to the Microsoft Malware Prevention Center (MMPC), this month's Malicious Software Removal Tool (MSRT) has scrubbed the Alureon rootkit from over 360,000 Windows PCs since its May 11 release. That represented 18.2% of all MSRT detections for the month, more than double the 8.3% the rootkit accounted for in April.

The free MSRT is updated each month as part of Microsoft's monthly Patch Tuesday, and pushed to users via the same Windows Update mechanism used to serve up security fixes.

April's edition of MSRT, which was released April 13, also included Alureon sniffing skills. Last month, MSRT removed the rootkit from more than 260,000 Windows systems.

Although the Alureon rootkit is no malware newcomer -- antivirus company Symantec identified it in October 2008 -- it first made news last February when Microsoft confirmed that the rootkit caused infected PCs to crash when users applied a patch the company issued that month.

As the number of crash reports grew, Microsoft stopped automatically serving the MS10-015 update. It reissued the update only after it had added a Alureon detector that made sure infected Windows machines would not receive the patch.

Microsoft used the Alureon detection again in April when it shipped another Windows kernel patch in the MS10-021 update.

Until Alureon is removed, infected systems cannot apply the MS10-015 and MS10-021 updates.

While it's not uncommon for MSRT to remove a specific piece of malware from machines for several months running, it is unusual when the number of cleaned systems climbs after Microsoft adds detection for that threat.

Engineers at MMPC said the 37% increase in Alureon detections in was due to new variants of the rootkit. "There were several changes to the design of the rootkit to avoid detection and cleaning, revealing that the rootkit is still under active development and distribution," said Vishal Kapoor and Joe Johnson of the MMPC in an entry on the team's blog last Friday.

May's edition of MSRT spotted more copies of Alureon.H than any other variant, Microsoft said. Alureon.H accounted for 43% of all versions of the rootkit.

Kapoor and Johnson also spilled more bad news. "One of the notable changes was to infect arbitrary system drivers instead of only the hooked miniport driver," they said. "This can have negative side effects on the machine depending on the chosen driver."

Some PC keyboards have gone south after an Alureon infection, they said, while other Windows XP machines must be reactivated because the rootkit's dirty work has tricked Microsoft's product activation software into thinking that the user has swapped out one or more PC parts.

Almost two-thirds (65%) of the PCs infected with Alureon this month were running Windows XP Service Pack 3 (SP3), with the No. 2 spot taken by Windows XP SP2 (14%). Only 3.5% of the rootkit-infected PCs were running Windows 7, said Microsoft.

The latest version of the MSRT can be downloaded from Microsoft's site.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld . Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about windows in Computerworld's Windows Knowledge Center.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email CIO
• Follow CIO on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark