genpop.net

For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates.

According to the Microsoft Malware Prevention Center (MMPC), this month’s Malicious Software Removal Tool (MSRT) has scrubbed the Alureon rootkit from over 360,000 Windows PCs since its May 11 release. That represented 18.2 percent of all MSRT detections for the month, more than double the 8.3 percent the rootkit accounted for in April.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. ]

The free MSRT is updated each month as part of Microsoft’s monthly Patch Tuesday, and pushed to users via the same Windows Update mechanism used to serve up security fixes.

April’s edition of MSRT, which was released April 13, also included Alureon sniffing skills. Last month, MSRT removed the rootkit from more than 260,000 Windows systems.

Although the Alureon rootkit is no malware newcomer — antivirus company Symantec identified it in October 2008 — it first made news last February when Microsoft confirmed that the rootkit caused infected PCs to crash when users applied a patch the company issued that month.

As the number of crash reports grew, Microsoft stopped automatically serving the MS10-015 update. It reissued the update only after it had added a Alureon detector that made sure infected Windows machines would not receive the patch.

Microsoft used the Alureon detection again in April when it shipped another Windows kernel patch in the MS10-021 update.

Until Alureon is removed, infected systems cannot apply the MS10-015 and MS10-021 updates.

While it’s not uncommon for MSRT to remove a specific piece of malware from machines for several months running, it is unusual when the number of cleaned systems climbs after Microsoft adds detection for that threat.

Engineers at MMPC said the 37 percent increase in Alureon detections in was due to new variants of the rootkit. “There were several changes to the design of the rootkit to avoid detection and cleaning, revealing that the rootkit is still under active development and distribution,” said Vishal Kapoor and Joe Johnson of the MMPC in an entry on the team’s blog last Friday.

Related Posts

1. Microsoft tries again with patch linked to Windows blue screens
2. Rootkit to blame for Windows Blue Screen of Death
3. Updated ‘blue screen of death’ rootkit now targeting 64-bit Windows
4. Microsoft acts to avoid repeat of Windows blue screen debacle
5. Microsoft, Adobe, Oracle patch nearly 100 vulnerabilities