Microsoft Refuses To Patch Rootkit-Compromised XP Machines

Barence writes "Microsoft has revealed that its latest round of patches won't install on XP machines if they're infected with a rootkit. In February, a security patch left some XP users complaining of endless reboots and Blue Screens of Death. An investigation followed and Microsoft discovered the problems occurred on machines infected with the Alureon rootkit, which interacted badly with patch KB977165 for the Windows kernel. Now Microsoft is blocking PCs with the rootkit from receiving its new patches. 'This security update includes package-detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems,' Microsoft cautions in the patch notes."

The right thing to do

[techno-vampire]

If Microsoft has a way of detecting the rootkit, they should make it available separately so that people can test their machines before they try to update them. Of course, this is Microsoft we're talking about, so you know they're not interested in what's right unless it's also profitable.

Re:The Important Question

[BadAnalogyGuy]

Code 0xB302392838271

This is why I come to Slashdot. So many computer-literate people...

Summary title in error

[Rockoon]

From the article:

As Microsoft has noted, while the solution prevents users from suffering the misery of Blue Screens of Death, it does leave them unprotected and the company has urged users to download its Malicious Software Removal Tool to clean up their machines and run the patch as soon as possible.

It isnt that they wont patch these systems, its that they wont automatically install the MSRT, which removes the rootkit, as part of the update.

..and to be perfectly honest, who wants the MSRT to be a mandatory component. Things like that are capable of unexpectedly altering the system, something typically frowned upon in enterprise.

Re:Makes sense...

[clone53421]

And that’s what will happen. Installation of the patch will fail, if the rootkit is detected. The malicious software removal tool will be pushed out and remove the rootkit. And eventually the patch will be installed again since the installation failed the first time, and if the rootkit is gone the patch should install properly.

Re:The Microsoft way!

[gzipped_tar]

If the kernel is fucked, nothing works any more. Any results from on-line determination of the damage status of the machine itself should be assumed fake because the malware is in control of all local resources. To accurately determine the status of the computer, it must be taken offline.

Never trust what rooted machines say about themselves...

Re:The Microsoft way!

[Rockoon]

You don't know how computers work, do you?

The blue screen crashing that this rootkit caused after the previous update was not due to rootkit modifications to the files that were being patched.

The problems occured because code that was NOT being patched (the rootkit!) was making direct jumps into kernel memory, to offsets that were no longer relevant after the patch.

Re:The right thing to do

[TrancePhreak]

If Microsoft has a way of detecting the rootkit, they should make it available separately so that people can test their machines before they try to update them.

They do just this. Malicious Software Removal Tool.

Obligatory....

[bmo]

http://technet.microsoft.com/en-us/library/cc512587.aspx [microsoft.com]

>You can't clean a compromised system by patching it.

>You can't clean a compromised system by removing the back doors.

>You can't clean a compromised system by using some "vulnerability remover."

>You can't clean a compromised system by using a virus scanner.

>You can't clean a compromised system by reinstalling the operating system over the existing installation.

>You can't trust any data copied from a compromised system.

>You can't trust the event logs on a compromised system.

>You may not be able to trust your latest backup.

>>>>>The only way to clean a compromised system is to flatten and rebuild.

Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I

Security Program Manager
Microsoft Corporation

Re:And the issue is?

[rickb928]

If this was all caused by some commercial software, say, Adobe Reader gaining a bug that hosed Windows Update, we would be all over Adobe for breaking Windows Update and denying us our precious patches.

So far, very little scorn for the rootkit author(s) or their legion of distributors.

I get alerted to malware of various types, from Javascript exploits to out-and-out rootkits, from several interesting websites I visit frequently. I've been reduced to checking them on my phone, cause so far they haven't taken on an advertiser that delivers Android malware. So far. Even my Ubuntu with Firefox sees attacks.

Place the blame where it belongs; Malware distributors and authors, lazy/incompetent/naive users clicking away on pretty stuff, and of course the Windows security community for the abject failure that is Windows 'security', in name only. Windows Update is doing the right thing - alerting users to the potential for serious system failure and the cause. Plowing along and bricking systems is irresponsible.

Rootkits and the ad servers delivering them should be brought up on criminal charges. Surreptitiously installing software on my machine without my permission should be trespass, and punished accordingly, right up the food chain. Yes, that would mean some day a nice man from the FBI coming into a NAP and cutting off fiber connectors. If you run a red light while drunk, you get the full monty. Go all the way and punish malware by shutting down the ad servers that are delivering it, and you will get action.

Of course, if that fails, then you go to the New York times, for example, and explain why you are shutting down their sites - they chose web ad agencies badly. Tough. Accountability.