Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: MS10-015 may cause Windows XP to blue screen - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS10-015 may cause Windows XP to blue screen

We have heard about reports that MS10-015 causes some Windows XP machines to blue screen. If you are seeing this issue, please let us know.

(I am filling in for Deborah on this diary as she is ironically busy dealing with lots of blue screens in her organization, which may be related)

See for example:

http://www.krebsonsecurity.com/2010/02/new-patches-cause-bsod-for-some-windows-xp-users/

and

http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Johannes

3089 Posts
ISC Handler
I have seen this on one of my workstations. Rebooted the workstation and everything seems fine.
PW

62 Posts Posts
Two PCs were updated. I found one not responding, part way through booting. Powered off and on, and it booted normally. The other PC had rebooted OK.
Dick Rawson

16 Posts Posts
we updated 112 PC's updated last night, no problems at all
Anonymous

Posts
we updated 112 PC's updated last night, no problems at all
Anonymous

Posts
67 machines updated, one BSOD. Rolled back KB977165 (MS10-015) on that one machine, rebooted and all was well.
GuenTech

16 Posts Posts
I had an Eee PC with XP Home brought to me with this same problem. I rolled back KB977165, rebooted and the system worked fine. I reapplied KB977165 and the rest of the updates available at Microsoft Update, and the problem returned. I replaced \WINDOWS\System32\drivers\atapi.sys with a clean version from a XP SP3 distribution folder and rebooted... voila! Problem solved.

For reference, the SHA1SUMs of the atapi.sys files:

Non-working:
bb3e36ad0c8ed6daab38653ea4a942d74b9f4ff6

Working:
a719156e8ad67456556a02c34e762944234e7a44

If anyone wants to look at the non-working atapi.sys:
https://patrickwbarnes.com/pub/atapi.sys

I will be looking at this more in-depth.
Anonymous

Posts
I uploaded the non-working atapi.sys to VirusTotal. Here's the result:

http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925529

Apparently, this update problem is the result of an infection.
Anonymous

Posts
Patrick, just before your post I downloaded the atapi.sys from your site because nothing at Microsoft's site indicates that this driver would be replaced by MS10-015. My AV screamed. I turned it off and, more or less simultaneously with you, uploaded the file to virustotal, see http://www.virustotal.com/analisis/85aa49f587f69f30560f02151af2900f3dc71d39d1357727ab41b11ef828a7ff-1265925521

I wouldn't be surprised if the new kernel files, replaced by the MS10-015 patch, change (pointer) tables that are being exploited by certain types of malware (rootkits in particular), which cease to work 'correctly' after the patch.
Erik van Straten

122 Posts Posts
Based on the malware observation above, my best guess is that either malware, or legitimate software, that modifies (probably undocumented) in-memory kernel data, functions or (pointer-) tables, is causing XP systems to crash after applying MS10-015.
Erik van Straten

122 Posts Posts
I concur with Bitwiper's conclusion. It appears that, following this update, the references made by the malware-infected atapi.sys are broken, resulting in the crash.

The best advice to those who have not already applied the update is to perform virus scans with up-to-date antivirus software. The problem may not be isolated to the infection identified by the VirusTotal results above.

For those who are now facing this issue, replacing atapi.sys using the Windows Recovery Console or live media, then thoroughly scanning for and cleaning any other infected files should return the system to working order. As with any infection, I would recommend wiping and reloading the system if feasible.
Anonymous

Posts
Kevin Hau of Microsoft, has posted a recovery method for XP systems that do not reboot after the installation of KB977165 and the link to the MS Fixit KB article that mitigates the vulnerability that the update addresses in this thread:
http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/73cea559-ebbd-4274-96bc-e292b69f2fd1/

FWIW, I doubt that malware is involved in this issue but ... ya never know. <w>
Anonymous

Posts
Because antivirus software is likely not to be able to detect malware on a running rootkit-infected system (because the rootkit will 'cloak' its existence), this may help people (who've not patched yet) to determine if their PC is infected with the malware identified by Patrick W. Barnes. However, I need some help to make sure.

The length of the original XP SP3 atapi.sys file (which lives in c:\windows\system32\drivers\) is 96,512 bytes. The malware version on Patrich W. Barnes' website has the same length, so this doesnt help. Furthermore, most people don't understand "sha1sums" and do not have sha1sum.exe on their PC.

The binaries are mostly identical; the malware version has 4 bytes changed at the beginning of the file, while, interestingly, it's version information block has been overwritten with the apparent malware code, probably leaving all original functionality intact.

Therefore, a modified atapi.sys by this particular malware can *probably* easily be identified on a running system by right-clicking c:\windows\system32\drivers\atapi.sys (Explorer must be configured to show system files): a *completely missing* Version tab in the file properties dialog box definitely means you've got a problem.

However, a present Version tab doesn't necessarily mean your system is okay. The malware *may* have saved the version info data to a separate file (or the registry) before overwriting the section in atapi.sys.

Therefore, I'm very interested to know if anyone observes missing version info in atapi.sys on an (unpatched, otherwise it would BSOD) XP PC.

Patrick, can you confirm a missing version info tab in atapi.sys' file properties dialog box on the *infected* EEE PC?
Erik van Straten

122 Posts Posts
As the Eee PC has been cleaned, I cannot verify the missing version tab on it.

Anyone seeing this issue could roll back the update, reboot and check the atapi.sys file properties. I will do so if I get another chance.
Anonymous

Posts
Thanks anyway Patrick!

Btw Google: atapi.sys rootkit
results in a lot of info; http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html is a nice writeup of the Tdss malware which was identified in atapi.sys Patrick (and I) uploaded to virustotal.

Note that my question still stands: anyone observing a missing version tab in atapi.sys' file properties?
Erik van Straten

122 Posts Posts
I have updated my blog post on the subject with repair instructions:

https://patrickwbarnes.com/blog/2010/02/microsoft-update-kb977165-triggering-widespread-bsod/

I will expand those instructions as time permits and as more information becomes known.
Anonymous

Posts
For anyone interested I wrote a vbscript that reads a list of machines from an .xls queries the atapi.sys file on remote machine and records the MD5 Checksum.

http://home.comcast.net/~jblizz/Atapi_MD5_Checker.zip
Anonymous

Posts
Jblizz, your efforts are appreciated!

However, I'm afraid that the results of your scan are unreliable, because the infected atapi.sys file will be hidden and probably virtually replaced with the contents of the original atapi.sys (typically hidden somewhere else on disk).

If you'd be able to md5 the infected file, AV would be able to detect it as well. Currently hardly any AV product (if any at all) seems to be able to recognize this malware on a *running* infected PC. You'll have to boot another OS in order to be able to read the infected file.

Note that my own idea, checking for a missing "Version" tab in the file properties dialog box, is likely not to work for the same reason.

Furthermore, reports indicate that it's not just atapi.sys that may be modified by the Tdss rootkit; http://www.prevx.com/blog/139/Tdss-rootkit-silently-owns-the-net.html also mentions iastor.sys.

Finally, note that other Tdss variants and even other rootkits may exist that modify other legitimate drivers while hooking some of all of the same kernel functions whose locations in memory may have changed after applying MS10-015 (provided that my rootkit theory is correct).
Erik van Straten

122 Posts Posts
By the way, *if* the BSOD's are caused by rootkits that are incompatible with MS10-015, then the BSOD problem will probably automagically vanish.

Currently the rootkit makers have plenty of time to adapt their malware to MS10-015 on PC's they pwn around the world - until Microsoft resumes its auto-update. This may significantly extend the 'second-life' of a lot of zombie PC's...
Erik van Straten

122 Posts Posts
I had the KB977165/BSoD problem on my laptop yesterday. Fixed it by removing KB977165 and all was well but it came back again this morning after autoupdate re-installed KB977165.

Removed KB977165 again but this time turned off autoupdate. Through all this my Mcafee antivirus was silent.

Checked atapi.sys with sha1sum.exe and got the working checksum (a719156...).

Took out the hard drive and installed it on another working system as an external drive. As soon as I accessed the atapi.sys file, Mcafee cleaned it and wrote the following log entry:

2/12/2010 3:57:19 PM Cleaned XXX\ad8121 C:\WINDOWS\Explorer.EXE E:\WINDOWS\system32\drivers\atapi.sys Patched-SYSFile (Trojan)

Installed the now cleaned HD into the laptop, installed the KB977165 update and rebooted with no problem.

Wow! This is scary. I work in network security and I thought I practiced safe computing but after this I'm not sure anyone is safe.
Anonymous

Posts
Meanwhile Symantec has a blog online (thanks!) which confirms my assumption that the rootkit malware causing BSOD's, hooks API calls via "hard-coded relative virtual addresses (RVAs) into the kernel module": http://www.symantec.com/connect/blogs/tidserv-and-ms10-015
Common drivers modified by the TDL3 variant of the Tidserv trojan (which has its roots or is related to the TDSS rootkit family) are, according to Symantec: atapi.sys, iastor.sys, idechndr.sys, ndis.sys, nvata.sys and vmscsi.sys.

Source for that link (thanks PROROOTECT): http://forum.sysinternals.com/forum_posts.asp?TID=21266&PID=116141#116141
That post includes a link to a youtube video confirming the BSOD after applying MS10-015 to a PC (VM) infected with rootkit TLD3.241.

TonyD, thanks for your honest contribution above. The sysinternals thread above mentions a lot of virustotal pages. It is clear that AV cannot be depended upon at the moment the infector enters our PC. After most TDSS rootkit variants are installed, you're lost; hardly any AV will be able to detect that your PC is compromised while the rootkit is active.

Among other things, these rootkits are being spread via fake Anti Virus, but I wouldn't be surprised if the attack also spreads via compromised websites/banner servers (MSIE and Adobe Flash exploits), or manipulated PDF/Office docs spammed via e-mail.
Erik van Straten

122 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!