1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Rootkit author offer fix for MS patch problem

Discussion in 'Windows XP' started by HeyBub, Feb 18, 2010.

  1. HeyBub

    HeyBub Flightless Bird

  2. Daave

    Daave Flightless Bird

    HeyBub wrote:
    > "According to security vendor Prevx, the authors of the rootkit which
    > was the cause of a large number of unbootable systems which applied
    > the MS10-015 patch issued last week have issued a patch to fix the
    > incompatibility."
    > http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
    >
    > All your roots belong to us...


    OK, so here's the plan.

    I will shut off my firewall and disable my AV program. I will then
    intentionally get infected with that particular rootkit. Then I will
    download and install the patch that the authors of this rootkit issued
    last week so that when I apply the MS10-015 patch, I won't get the BSOD.
    Cool! No more incompatibility!
     
  3. Jose

    Jose Flightless Bird

    On Feb 18, 11:59 am, "Daave" <da...@example.com> wrote:
    > HeyBub wrote:
    > > "According to security vendor Prevx, the authors of the rootkit which
    > > was the cause of a large number of unbootable systems which applied
    > > the MS10-015 patch issued last week have issued a patch to fix the
    > > incompatibility."
    > >http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_pa...

    >
    > > All your roots belong to us...

    >
    > OK, so here's the plan.
    >
    > I will shut off my firewall and disable my AV program. I will then
    > intentionally get infected with that particular rootkit. Then I will
    > download and install the patch that the authors of this rootkit issued
    > last week so that when I apply the MS10-015 patch, I won't get the BSOD.
    > Cool! No more incompatibility!


    I want to do that too.

    I think the the best way to understand these things is to experience
    them for yourself and learn how to fix them.

    Where do you go to get infected with that particular rootkit? I have
    been trying for a week.
     
  4. Thee Chicago Wolf [MVP]

    Thee Chicago Wolf [MVP] Flightless Bird

    On Thu, 18 Feb 2010 10:20:49 -0600, "HeyBub" <heybub@gmail.com> wrote:

    >"According to security vendor Prevx, the authors of the rootkit which was
    >the cause of a large number of unbootable systems which applied the MS10-015
    >patch issued last week have issued a patch to fix the incompatibility."
    >
    >http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
    >
    >All your roots belong to us...


    Priceless.

    - Thee Chicago Wolf [MVP]
     
  5. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    MSRC: Update - Restart Issues After Installing MS10-015 and the Alureon
    Rootkit
    http://blogs.technet.com/msrc/archi...talling-ms10-015-and-the-alureon-rootkit.aspx

    MMPC: Restart issues on an Alureon infected machine after MS10-015 is
    applied
    http://blogs.technet.com/mmpc/archi...fected-machine-after-ms10-015-is-applied.aspx
    --
    ~PA Bear


    HeyBub wrote:
    > "According to security vendor Prevx, the authors of the rootkit which was
    > the cause of a large number of unbootable systems which applied the
    > MS10-015
    > patch issued last week have issued a patch to fix the incompatibility."
    >
    > http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
    >
    > All your roots belong to us...
     
  6. Bob I

    Bob I Flightless Bird

    Jose wrote:

    > On Feb 18, 11:59 am, "Daave" <da...@example.com> wrote:
    >
    >>HeyBub wrote:
    >>
    >>>"According to security vendor Prevx, the authors of the rootkit which
    >>>was the cause of a large number of unbootable systems which applied
    >>>the MS10-015 patch issued last week have issued a patch to fix the
    >>>incompatibility."
    >>>http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_pa...

    >>
    >>>All your roots belong to us...

    >>
    >>OK, so here's the plan.
    >>
    >>I will shut off my firewall and disable my AV program. I will then
    >>intentionally get infected with that particular rootkit. Then I will
    >>download and install the patch that the authors of this rootkit issued
    >>last week so that when I apply the MS10-015 patch, I won't get the BSOD.
    >>Cool! No more incompatibility!

    >
    >
    > I want to do that too.
    >
    > I think the the best way to understand these things is to experience
    > them for yourself and learn how to fix them.
    >
    > Where do you go to get infected with that particular rootkit? I have
    > been trying for a week.


    Why not ask ol' ANGELKISSES420 ?
     
  7. HeyBub

    HeyBub Flightless Bird

    Daave wrote:
    > HeyBub wrote:
    >> "According to security vendor Prevx, the authors of the rootkit which
    >> was the cause of a large number of unbootable systems which applied
    >> the MS10-015 patch issued last week have issued a patch to fix the
    >> incompatibility."
    >> http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
    >>
    >> All your roots belong to us...

    >
    > OK, so here's the plan.
    >
    > I will shut off my firewall and disable my AV program. I will then
    > intentionally get infected with that particular rootkit. Then I will
    > download and install the patch that the authors of this rootkit issued
    > last week so that when I apply the MS10-015 patch, I won't get the
    > BSOD. Cool! No more incompatibility!


    Right. As I understand the problem, the rootkit authors coded an absolute
    address for a critical Windows function; this address was changed by the
    Microsoft update. The rootkit authors then went back and made the address a
    variable to be deduced at run time, thereby making their product more
    robust.

    This is not the first time Microsoft has changed an un-documented item to
    the cost of developers.
     
  8. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    I think it disingenuous at best to consider malware writers & botnet owners
    "developers."

    HeyBub wrote:
    <blithersnippage>
    > This is not the first time Microsoft has changed an un-documented item to
    > the cost of developers.
     
  9. David H. Lipman

    David H. Lipman Flightless Bird

  10. Jose

    Jose Flightless Bird

    On Feb 18, 3:14 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
    > I think it disingenuous at best to consider malware writers & botnet owners
    > "developers."
    >
    > HeyBub wrote:
    >
    > <blithersnippage>
    >
    >
    >
    > > This is not the first time Microsoft has changed an un-documented item to
    > > the cost of developers.


    Their efforts are sometimes clever, usually merely annoying and fairly
    easy to outsmart.

    I think there is some sick, twisted and perverted reward (there -
    that's all the good words) and competition between the authors to see
    who can be the most likely to induce a complete reinstall of Windows
    when some person on the receiving end is unable or unwilling to try to
    figure out their products and fix the problem and just gives up.
    Victory is theirs!

    They could certainly be malicious and destructive if they wanted to
    be, but so far... they seem to be mostly just annoying.
     
  11. VanguardLH

    VanguardLH Flightless Bird

    HeyBub wrote:

    > "According to security vendor Prevx, the authors of the rootkit which was
    > the cause of a large number of unbootable systems which applied the MS10-015
    > patch issued last week have issued a patch to fix the incompatibility."
    >
    > http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
    >
    > All your roots belong to us...


    So rather than get RID of the rootkit malware, users are expected to get an
    update to the malware. Uh huh.

    In similar manner, put the malware authors up against a wall and I'll SHOOT
    them in their heads with hollow-point bullets. Then I'll offer to remove to
    the flattened bullets, bend them into a slightly different form, and then
    hammer them back into their dead brains. Works for me.
     
  12. Bob I

    Bob I Flightless Bird

    Jose wrote:

    > On Feb 18, 3:14 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
    >
    >>I think it disingenuous at best to consider malware writers & botnet owners
    >>"developers."
    >>
    >>HeyBub wrote:
    >>
    >><blithersnippage>
    >>
    >>
    >>
    >>>This is not the first time Microsoft has changed an un-documented item to
    >>>the cost of developers.

    >
    >
    > Their efforts are sometimes clever, usually merely annoying and fairly
    > easy to outsmart.
    >
    > I think there is some sick, twisted and perverted reward (there -
    > that's all the good words) and competition between the authors to see
    > who can be the most likely to induce a complete reinstall of Windows
    > when some person on the receiving end is unable or unwilling to try to
    > figure out their products and fix the problem and just gives up.
    > Victory is theirs!
    >
    > They could certainly be malicious and destructive if they wanted to
    > be, but so far... they seem to be mostly just annoying.


    No the 'bot herders want to remain UNdetected. They DON'T want to lose
    control of a PC as it is in their best interest to keep the PC working
    for them.
     
  13. MowGreen

    MowGreen Flightless Bird

    VanguardLH wrote:
    > HeyBub wrote:
    >
    >> "According to security vendor Prevx, the authors of the rootkit which was
    >> the cause of a large number of unbootable systems which applied the MS10-015
    >> patch issued last week have issued a patch to fix the incompatibility."
    >>
    >> http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
    >>
    >> All your roots belong to us...

    >
    > So rather than get RID of the rootkit malware, users are expected to get an
    > update to the malware. Uh huh.
    >
    > In similar manner, put the malware authors up against a wall and I'll SHOOT
    > them in their heads with hollow-point bullets. Then I'll offer to remove to
    > the flattened bullets, bend them into a slightly different form, and then
    > hammer them back into their dead brains. Works for me.



    I'll bring the popcorn and refreshments, Vanguard.

    MowGreen
    ================
    *-343-* FDNY
    Never Forgotten
    ================

    banthecheck.com
    "Security updates should *never* have *non-security content* prechecked
     

Share This Page