So, a couple of weeks ago we were all very concerned about the MS10-015 patch included in the February security update from Microsoft which seemed to cause the dreaded Blue Screen of Death (BSOD) on some machines. As we went “to press” with our blog post, the news was just breaking that the underlying cause might be a rootkit.

Well, turns out it was a rootkit which caused all this alarm; specifically, it was the TDSS (aka Tidserv, TDL3 or Alureon) rootkit. It impacts all 32-bit versions of Windows Operating Systems, including Windows Vista and Windows 7 – however, the majority of reported cases seem to involve Windows XP (which stands to reason). According to the Microsoft Security Intelligence Report (SIR), Alureon ranked no. 8 on the malware hit parade in the first half of 2009; almost 2 million cases were removed 1H-09, up from about 500,000 in the 2H-08.

As of this writing, the 32-bit version of the MS10-015 patch is not in the Microsoft Automatic Updates service (the one used by most home users) but the 64-bit version is. Both versions are in their WSUS and SMS for distribution – possibly because they expect that enterprise customers are better about keeping their anti-malware up to date than home users. [In fact, according to John Pescatore, writing in the SANS NewsBites newsletter, about 1 out of 3 small business and home PCs (the ones that run Auto Update) have botnet payloads on them while [most enterprises find between 3 and 10% of their PCs also have been compromised by botnet malware.] The 32-bit version of the MS10-015 patch is available from Microsoft for manual download and installation.

Microsoft posted an update on this mess and recommends that customers first scan their systems for the Alureon rootkit and clean if necessary, and then deploy the February security updates; of course, folks should make sure their AV software is up-to-date, too. If you need help with the scan / clean, check out this TDSS cleaning tool from our friends at Norman. For specifics on the MS10-015 patch, see this KB article ID 977165.

Oh, and BTW … several commentators have noted that the developer(s) behind TDSS / Alureon is just as upset at the BSODs as all of us are. So, as a public service they have updated it to be compatible with the MS10-015 patch. Just doing their bit, don’t’cha know. But it does reinforce what we’ve been saying for a long time: malware developers are a sophisticated lot these days, so you simply cannot rely on luck to protect you.