Malware blue-screens when patched – Tales from the Crypto

Malware blue-screens when patched

The Microsoft update MS10-015 recently demonstrated rather dramatically that unauthorised patches of the operating system make your operating system significantly unstable and unreliable.

In this case, the unauthorised patch is a rootkit called, among other things, “Alureon”, which alters some low-level drivers supplied with Windows.

Those of us who have been in this industry for a while may remember how unreliable updates used to be – but now, we find that patches are far easier to trust. The recent blue-screen of death (BSoD) errors associated with MS10-015 caused people to reassess that idea, as always happens when a patch is associated with crashes or malfunctions.

It’s very nice to see that those doubts are unfounded in this case, and that MS10-015 received as good a round of testing as any of the other patches issued by Microsoft, and that these BSOD errors are the result of a third-party developer failing to anticipate the prospect that Microsoft might make changes while patching for other issues.

Of course, in this case, it’s a malware writer, and we can be forgiven for thinking that this is to be expected because malware writers are sloppy. Of course, the truth is that some malware writers are not. It’s how they remain undetected, it’s how they continue to extract value from the systems in which they have made their incursions, and it’s how they manage to keep spreading. There has even been some speculation that there are some attackers who will patch and fix systems they infiltrate in order to keep their malware running. Obviously, it’s not a sound business strategy to allow someone to breach your systems in the hope that they’ll maintain those systems reliably running.

No, the message here is that the operating system on a Windows computer belongs to Microsoft, and they document well those places where you are expected to modify it. Step outside those boundaries of safe patching, and you run a good risk that a patch will trigger significant adverse behaviour. I believe I said something along those lines back when the antivirus vendors were complaining about PatchGuard, the technology in 64-bit Windows designed to prevent unauthorised patching of the Windows kernel.

If you experience problems as a result of applying a Microsoft security patch, or if you are experiencing what appears to be a security flaw in a Microsoft product, don’t forget that you can get free phone support in most countries. The US / Canada number to call for security issues is 1-866-PC SAFETY (1-866-727-2338).

Leave a Reply

Your email address will not be published. Required fields are marked *