News

Windows Kernel Patch Sidesteps Rootkit Infections

• By Jabulani Leffall
• April 20, 2010

Microsoft's April patch includes a mechanism that avoids installing a Windows kernel fix in the presence of troublesome malware.

Last week, the company explained that it had built detection logic into one of the security fixes (MS10-021) included in the April patch. The fix addresses a long-standing vulnerability in the Windows kernel that could enable elevation-of-privilege attacks, but it won't install on infected machines.

Originally, this precaution had not been in place. Microsoft had released the Windows kernel fix earlier this year (MS10-015) that resulted in instances of "blue screens of death" (BSODs) among some users who applied it. Microsoft pointed to the Alureon rootkit as the cause for the system crashes at the time, and halted pushing out the fix.

"Microsoft is in a no-win situation," said Phil Lieberman, president of Lieberman Software. "If it patches the infected machine, it kills the machine and Microsoft gets blamed. If it detects that the machine is infected and does not patch the machine, the machine is not further damaged, but it is not disinfected and Microsoft gets blamed."

Furthermore, Lieberman explained, if an individual or enterprise customer does not want to buy antivirus software or upgrade from XP, "Microsoft gets blamed for not supporting their products forever, at no cost to the consumer, and Microsoft gets blamed for not working for free."

Microsoft did not specify whether the "virus" it references in its April patch is the same Alureon rootkit that gave users trouble in February. Rootkits such as Alureon corrupt the core OS kernel and hide among processing code. When a patch is applied, the corrupted kernel rejects legitimate kernel modules and causes various hiccups, including BSODs, frozen screens and application failures.

Paul Zimski, vice president of market strategy at security firm Lumension, said that Rootkits are very "pesky," and that Alureon is particularly difficult to deal with because it's a kernel-level bug.

"If these machines are already rootkitted and completely compromised to the point that disinfecting them is almost impossible, whether or not they get patched after the fact is almost a moot point," he said. "If the act of patching them is going to cause [machines] to 'brick,' then you have essentially taken a bad situation and made it even worse."

So where does this leave users or networks besieged by a rootkit?

"Firewall and up-to-date antivirus programs are key," said Jason Miller, data and security team manager at Shavlik Technologies. "Microsoft's malicious software removal tool targets the Alureon rootkit. For home users, this is a free tool. For administrators, they can deploy the tool just like a security patch. It can be run silently in the background without affecting the end user."

Another way to ensure that a rootkit is flushed out, especially on a network with multiple users, is to reimage the Windows environment, operate in safe mode and install a fresh Windows OS from a trusted source.

"Generally speaking once a rootkit 'owns' the kernel, you can't trust the operating system to 'tell the truth'," Zimski explained. "If you can't believe the operating system itself, you essentially have very little confidence that the rootkit has been removed."

The rootkit problem only affects 32-bit Windows systems, but the fix (MS10-021) also addresses vulnerabilities in 64-bit Windows that are deemed "moderate" in severity.

For 32-bit systems, the fix is deemed "important" in severity. It touches Windows 2000, Windows XP, Windows Server 2003 and the original release version of Windows Vista. It's rated moderate for Vista Service Pack 1 and Vista SP2, along with Windows 7 and Windows Server 2008.