Microsoft re-releases MS10-015 and detection tools
by Steve Ragan - Mar 3 2010, 16:10On Tuesday Microsoft re-released the patch that triggered the infamous Blue Screen of Death as a direct result of a rootkit infection. While no immediate detection and removal tool exists for the rootkit courtesy of Windows Update, Microsoft said that they are working on a solution and expects it to be released in a few weeks.
Earlier last month, not long after Microsoft’s monthly security updates, users began reporting Blue Screens and rolling restarts shortly after patches were applied and systems restarted. After some investigation, the issue was narrowed down to a single patch, but the reasoning for the issues was unknown.
A short while later, security giant Symantec released information that TDL3, a variant of the TDSS rootkit, could be behind the Blue Screen problems, a claim that was backed by an independent systems administrator who examined systems with the issue. Soon after, Microsoft confirmed that the issues were Malware related and tagged TDL3, which they call Alureon, as the rootkit behind it all. As a result they stopped pushing MS10-015 through Automatic Update.
[More information on the issues can be seen in previous coverage here and here.]
Since then, there’s been some forward momentum on the rootkit woes related to MS10-015, and as a result Microsoft is once again issuing the patch through Windows’ Automatic Update services.
The re-release uses a detection method that will search for signs that the system is infected with TDL3, and if the symptoms are present, the update will fail and the system will display a screen with alternate support options. It is important to note that the detection layers added to the new and improved MS10-015 are not a fix.
At this time, the only fix is to use a rootkit scanning and removal solution. Many of the anti-Virus vendors are listing TDL3 among the rootkits they can detect, but removal itself is easier said than done for many of the vendors. If you have not yet updated your system to include MS10-015, update your security software and perform a full system scan.
Microsoft’s Security Essentials security software has signatures for TDL3, but we cannot confirm that it removes it completely, as we were unwilling to infect test systems with the samples we have at hand. Our opinion is that if the Malware is detected, take Microsoft up on their offer of free support on the issue, and have them help with removal.
[US customers can call 1-866-727-2338. International customers can visit http://support.microsoft.com/international for access to local support numbers.]
IT departments who are unwilling to risk it have the option to deploy a detection tool, which will test systems for compatibility. If the system fails this check, MS10-015 should not be installed, and in all honesty, the system should simply be wiped and reimaged.
More information from the supported KB Articles, including the tool for IT departments, can be found here and here.
Comment on this Story