February 18, 2010, 5:11 PM — More than a week after Microsoft released an XP patch that seemed to cause BSODs (Blue Screen of Death), Microsoft announced that the immediate cause was the Alureon rootkit. Fair enough, but what about the 17-year old Windows security hole that the rootkit was exploiting?
I mean, come on. This bug dates back to 1993 when Windows for Workgroups 3.11 and Windows NT 3.1 instead of Windows 7 were the hot new versions of Windows. Many of you have never even seen those operating systems much less used them. Since Microsoft has left this security hole open almost long enough for it to be old enough to vote, shouldn't they get some of the blame?
After all, the hackers behind Alureon, aka TDSS, Tidserv and TDL3, botnet were able to fix their malware to work around the Windows' fix before Microsoft finally figured it out. Maybe Microsoft should hire them to work on Windows security instead of relying on their own in-house software engineers. Nah. They're probably making more money from their botnets than Microsoft is willing to pay them.
Specifically, the problem was caused when Microsoft finally fixed a Windows memory call that no longer could be used to call a specific address. According to Microsoft's Mike Reavey, the director of the Microsoft Security Response Center, "Malware writers use unsupported and potentially destabilizing methods for compromising machines because they want to keep their malware hidden from anti-malware software. In the particular case of Alureon, malware writers modified Windows behavior by attempting to access a specific memory location, instead of letting the operating system determine the address which usually happens when an executable is loaded."
Unsupported? After 17-years, I'd say, for better of worse, it was part and parcel of Windows. Of course, if Windows were an open operating system like Linux there wouldn't be any 'unsupported' ways of addressing memory. Heck, maybe someone besides a malicious hacker would have found the bug back before the turn of the century and fixed it.
As it is, Alureon has been exploiting this hole since at least 2008. Who knows what other malware programs may have taken advantage of it over the years.
Be that as it may, to get rid of the problem, you need to first kill off the rootkit with a program like Kaspersky Labs' TDSSKiller. This particular anti-virus fixer was updated on February 16th and should take out even the newest members of the Alureon family.
After that, you can update your system. Of course, in the meantime, Alureon's designers are no longer attacking that hole with their latest model, so it's a case of locking the barn door after the horse has already run away.
The only real fix to this problem is to dump Windows. This is just another of the endless examples of how easy Windows is to attack. Even as Microsoft took care of this problem, it was revealed that the Windows-based Kneber botnet has attacked more than 374 U.S. firms and government agencies. Proper patching might have slowed it down -- most of the systems getting hit by it seem to be running Windows XP SP2.
Still, the bottom line is that Windows is being exploited every day and as the Alureon/XP patch mess showed, Microsoft isn't capable of keeping up with the hackers or their threats.
