Microsoft has confirmed that the Blue Screen of Death issue reported last week on Windows machines is caused by a rootkit.
According to Microsoft, Windows systems infected with Alureon were hit with Blue Screen of Death errors that prevented computers from booting after the user downloaded Microsoft patch MS10-015.
“The restarts are the result of modifications the Alureon rootkit makes to Windows Kernel binaries, which places these systems in an unstable state,” blogged Mike Reavey, director of the Microsoft Security Response Center. “In every investigated incident, we have not found quality issues with security update MS10-015.”
The update patched two vulnerabilities affecting the Windows Kernel, and was one of 13 security bulletins issued Feb. 9 as part of Patch Tuesday. As reports of the problem came in, speculation began to center on malware being the root cause.
According to Reavey, Alureon modifies Windows behavior by attempting to access a specific memory location instead of letting the operating system determine the address as it normally does when an executable is loaded.
“The chain of events in this case was a machine became infected, during which the malware made assumptions as to the layout of the Windows code on the machine,” he explained. “Subsequently MS10-015 was downloaded and installed, during which the location of Windows code changed. On the next reboot, the malware code crashed attempting to call a specific address in Windows code which was no longer the intended OS function.”
The versions of Alureon found to be causing the problem only infected 32-bit systems, according to Microsoft.
“A malware compromise of this type is serious, and if customers cannot confirm removal of the Alureon rootkit using their chosen anti-virus/anti-malware software, the most secure recommendation is for the owner of the system to back up important files and completely restore the system from a cleanly formatted disk,” Reavey stated.