Microsoft had a large Patch Tuesday in February – with an unintended side effect: large amounts of blue screens. This turned out to be due to an interaction between the Alureon rootkit and the patch for KB977165 which updates the Windows kernel. This month’s patches also contain kernel updates, and so have the same incompatibility with the rootkit. As the bulletin for MS10-021 states, “This security update includes package detection logic that prevents the installation of the security update if certain abnormal conditions exist on 32-bit systems. These abnormal conditions on a system could be the result of an infection with a computer virus that modifies some operating system files, which renders the infected computer incompatible with the kernel update.”
So Microsoft is deliberately not installing the newer kernel updates if the rootkit is detected – and at the same time leaving vulnerabilities unpatched. There are no active exploits for the problems the newest kernel patches are trying to fix, however this situation is far from acceptable.
Microsoft also can’t just remove the rootkit as this would require entitlement; there’s also a risk to the stability of the system with removing something like a rootkit.
This particular rootkit is removed by Microsoft’s Malicious Software Removal Tool however this tool is not installed through the standard Windows Update mechanism which only does ‘Important’ updates. One has to specifically install the Tool or allow Recommended updates to be installed as well.
This problem is only likely to grow worse with time. Until cleaned, the infected machines will be vulnerable to an increasing number of kernel flaws, leaving them exposed to new threats. With little chance that owners of affected computers will clean them up of their own volition, Microsoft might yet be forced to take some more aggressive action to get them clean and up-to-date.
