• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

Rootkit author offer fix for MS patch problem

D

Daave

Flightless Bird
HeyBub wrote:
> "According to security vendor Prevx, the authors of the rootkit which
> was the cause of a large number of unbootable systems which applied
> the MS10-015 patch issued last week have issued a patch to fix the
> incompatibility."
> http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
>
> All your roots belong to us...


OK, so here's the plan.

I will shut off my firewall and disable my AV program. I will then
intentionally get infected with that particular rootkit. Then I will
download and install the patch that the authors of this rootkit issued
last week so that when I apply the MS10-015 patch, I won't get the BSOD.
Cool! No more incompatibility!
 
J

Jose

Flightless Bird
On Feb 18, 11:59 am, "Daave" <da...@example.com> wrote:
> HeyBub wrote:
> > "According to security vendor Prevx, the authors of the rootkit which
> > was the cause of a large number of unbootable systems which applied
> > the MS10-015 patch issued last week have issued a patch to fix the
> > incompatibility."
> >http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_pa...

>
> > All your roots belong to us...

>
> OK, so here's the plan.
>
> I will shut off my firewall and disable my AV program. I will then
> intentionally get infected with that particular rootkit. Then I will
> download and install the patch that the authors of this rootkit issued
> last week so that when I apply the MS10-015 patch, I won't get the BSOD.
> Cool! No more incompatibility!


I want to do that too.

I think the the best way to understand these things is to experience
them for yourself and learn how to fix them.

Where do you go to get infected with that particular rootkit? I have
been trying for a week.
 
T

Thee Chicago Wolf [MVP]

Flightless Bird
On Thu, 18 Feb 2010 10:20:49 -0600, "HeyBub" <heybub@gmail.com> wrote:

>"According to security vendor Prevx, the authors of the rootkit which was
>the cause of a large number of unbootable systems which applied the MS10-015
>patch issued last week have issued a patch to fix the incompatibility."
>
>http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
>
>All your roots belong to us...


Priceless.

- Thee Chicago Wolf [MVP]
 
P

PA Bear [MS MVP]

Flightless Bird
MSRC: Update - Restart Issues After Installing MS10-015 and the Alureon
Rootkit
http://blogs.technet.com/msrc/archi...talling-ms10-015-and-the-alureon-rootkit.aspx

MMPC: Restart issues on an Alureon infected machine after MS10-015 is
applied
http://blogs.technet.com/mmpc/archi...fected-machine-after-ms10-015-is-applied.aspx
--
~PA Bear


HeyBub wrote:
> "According to security vendor Prevx, the authors of the rootkit which was
> the cause of a large number of unbootable systems which applied the
> MS10-015
> patch issued last week have issued a patch to fix the incompatibility."
>
> http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
>
> All your roots belong to us...
 
B

Bob I

Flightless Bird
Jose wrote:

> On Feb 18, 11:59 am, "Daave" <da...@example.com> wrote:
>
>>HeyBub wrote:
>>
>>>"According to security vendor Prevx, the authors of the rootkit which
>>>was the cause of a large number of unbootable systems which applied
>>>the MS10-015 patch issued last week have issued a patch to fix the
>>>incompatibility."
>>>http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_pa...

>>
>>>All your roots belong to us...

>>
>>OK, so here's the plan.
>>
>>I will shut off my firewall and disable my AV program. I will then
>>intentionally get infected with that particular rootkit. Then I will
>>download and install the patch that the authors of this rootkit issued
>>last week so that when I apply the MS10-015 patch, I won't get the BSOD.
>>Cool! No more incompatibility!

>
>
> I want to do that too.
>
> I think the the best way to understand these things is to experience
> them for yourself and learn how to fix them.
>
> Where do you go to get infected with that particular rootkit? I have
> been trying for a week.


Why not ask ol' ANGELKISSES420 ?
 
H

HeyBub

Flightless Bird
Daave wrote:
> HeyBub wrote:
>> "According to security vendor Prevx, the authors of the rootkit which
>> was the cause of a large number of unbootable systems which applied
>> the MS10-015 patch issued last week have issued a patch to fix the
>> incompatibility."
>> http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
>>
>> All your roots belong to us...

>
> OK, so here's the plan.
>
> I will shut off my firewall and disable my AV program. I will then
> intentionally get infected with that particular rootkit. Then I will
> download and install the patch that the authors of this rootkit issued
> last week so that when I apply the MS10-015 patch, I won't get the
> BSOD. Cool! No more incompatibility!


Right. As I understand the problem, the rootkit authors coded an absolute
address for a critical Windows function; this address was changed by the
Microsoft update. The rootkit authors then went back and made the address a
variable to be deduced at run time, thereby making their product more
robust.

This is not the first time Microsoft has changed an un-documented item to
the cost of developers.
 
P

PA Bear [MS MVP]

Flightless Bird
I think it disingenuous at best to consider malware writers & botnet owners
"developers."

HeyBub wrote:
<blithersnippage>
> This is not the first time Microsoft has changed an un-documented item to
> the cost of developers.
 
J

Jose

Flightless Bird
On Feb 18, 3:14 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
> I think it disingenuous at best to consider malware writers & botnet owners
> "developers."
>
> HeyBub wrote:
>
> <blithersnippage>
>
>
>
> > This is not the first time Microsoft has changed an un-documented item to
> > the cost of developers.


Their efforts are sometimes clever, usually merely annoying and fairly
easy to outsmart.

I think there is some sick, twisted and perverted reward (there -
that's all the good words) and competition between the authors to see
who can be the most likely to induce a complete reinstall of Windows
when some person on the receiving end is unable or unwilling to try to
figure out their products and fix the problem and just gives up.
Victory is theirs!

They could certainly be malicious and destructive if they wanted to
be, but so far... they seem to be mostly just annoying.
 
V

VanguardLH

Flightless Bird
HeyBub wrote:

> "According to security vendor Prevx, the authors of the rootkit which was
> the cause of a large number of unbootable systems which applied the MS10-015
> patch issued last week have issued a patch to fix the incompatibility."
>
> http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
>
> All your roots belong to us...


So rather than get RID of the rootkit malware, users are expected to get an
update to the malware. Uh huh.

In similar manner, put the malware authors up against a wall and I'll SHOOT
them in their heads with hollow-point bullets. Then I'll offer to remove to
the flattened bullets, bend them into a slightly different form, and then
hammer them back into their dead brains. Works for me.
 
B

Bob I

Flightless Bird
Jose wrote:

> On Feb 18, 3:14 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
>
>>I think it disingenuous at best to consider malware writers & botnet owners
>>"developers."
>>
>>HeyBub wrote:
>>
>><blithersnippage>
>>
>>
>>
>>>This is not the first time Microsoft has changed an un-documented item to
>>>the cost of developers.

>
>
> Their efforts are sometimes clever, usually merely annoying and fairly
> easy to outsmart.
>
> I think there is some sick, twisted and perverted reward (there -
> that's all the good words) and competition between the authors to see
> who can be the most likely to induce a complete reinstall of Windows
> when some person on the receiving end is unable or unwilling to try to
> figure out their products and fix the problem and just gives up.
> Victory is theirs!
>
> They could certainly be malicious and destructive if they wanted to
> be, but so far... they seem to be mostly just annoying.


No the 'bot herders want to remain UNdetected. They DON'T want to lose
control of a PC as it is in their best interest to keep the PC working
for them.
 
M

MowGreen

Flightless Bird
VanguardLH wrote:
> HeyBub wrote:
>
>> "According to security vendor Prevx, the authors of the rootkit which was
>> the cause of a large number of unbootable systems which applied the MS10-015
>> patch issued last week have issued a patch to fix the incompatibility."
>>
>> http://blogs.pcmag.com/securitywatch/2010/02/rootkit_authors_issue_patch_fo.php
>>
>> All your roots belong to us...

>
> So rather than get RID of the rootkit malware, users are expected to get an
> update to the malware. Uh huh.
>
> In similar manner, put the malware authors up against a wall and I'll SHOOT
> them in their heads with hollow-point bullets. Then I'll offer to remove to
> the flattened bullets, bend them into a slightly different form, and then
> hammer them back into their dead brains. Works for me.



I'll bring the popcorn and refreshments, Vanguard.

MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
 
Top