A rootkit infection may be the cause of a Windows Blue Screen of Death issue experienced by people who applied the latest round of Microsoft patches.

Patrick W. Barnes, an Amarillo, Texas-based computer expert, says:                

 

Atapi.sys is an important driver for all Windows systems and it loads very early during the boot process, so infecting this file can make it very hard to detect or remove the rootkit before it loads.

 

It appears that the affected Windows PCs had the rootkit infection prior to deploying the Microsoft patches. Researchers investigating the issue have isolated the infection to the Windows atapi.sys file, a driver used by Windows to connect hard drives and other components. Patrick W. Barnes, an Amarillo, Texas-based computer expert who discovered the infection, posted instructions on how to repair the atapi.sys file.

Barnes stated in an email message:

 

Atapi.sys is a good target for rootkits because it loads so early during the boot process. Once loaded, the rootkit can defend itself, and once atapi.sys is loaded, it is hard to replace.

 

Barnes identified the infection as the Tdss-rootkit, which surfaced in 2008, has been spreading quickly, creating zombie machines for botnet activity.

Barnes said:

Barnes said the rootkit infection may not be the only cause of the blue screen condition. MS10-015, which has been identified as the update causing the problem, repairs two flaws in the Windows kernel and other infected drivers may also be the culprit, he said.

Microsoft issued a statement late Thursday acknowledging the issue. Jerry Bryant, senior communications lead at the Microsoft Security Response Center, said engineers were investigating the matter. The software giant halted the automatic release of MS10-015, a bulletin that repairs two Windows kernel vulnerabilities, pending the outcome of the investigation, he said. The update was one of 13 bulletins issued on Tuesday, repairing 26 vulnerabilities across Microsoft's product line.

"We have not confirmed that the issue is specific to MS10-015 or if it is an interoperability problem with another component or third-party software," Bryant wrote in a blog entry on the MSRC blog.

Rootkits are fairly common. They are installed by attackers who first gain access to the machine by exploiting a vulnerability. Once inside, the rootkit is deployed giving the attacker the ability to mask intrusion and gain root or privileged access to the computer. It can also be a package of spyware programs that monitor traffic and record keystrokes. Antivirus vendors typically have trouble detecting rootkits. Microsoft and F-Secure offer applications that can detect their presence.

Patching experts at several vulnerability management vendors reported few problems with the latest round of patches. Corporate patch deployments go through a more rigorous testing process and most enterprise PCs have standard configurations and up to date security software, which may result in fewer blue screen issues, they said.

"We have no customers reporting this issue back to us, but we're well aware of what's happening here," said Jason Miller, data and security team leader, at St. Paul, Minn.-based Shavlik Technologies Inc. "We'll probably be seeing this more on the home side rather than on the corporate side."