Blog entry

Rootkit attack Atapi.sys

Windows Blue Screen of Death could be a rootkit infection caused by the Tdss-rootkit which surfaced in the year 2008.

It appears that the affected machines had the rootkit infection by the deployment of Microsoft patches. Researchers isolated the atapi.sys file. They say that the atapi.sys is a good target for a rootkit attack because the atapi.sys loads early in the boot process. Once infected it is hard to replace the atapi.sys file. And the file is known to be able to "defend"itself.

The honor goes to Patrick W. Barnes because he identified the infection as the Tdss-rootkit. The Tdss-rootkit had been spreading quickly creating zombie machines for botnet activity.

The Tdss-rootkit is hard to detect. Atapi.sys is an important driver for all the machines that run an operating system from Microsoft.

Rootkits are a common way to infiltrate a machine. First the rootkit is installed by the attack, the attacker exploits the vulnerability of the machine. Once inside, the rootkit is deployed giving the hacker the ability to mask intrusion and gain root or privileged acces to the machine (zombie).
The rootkit can also package spyware, monitoring and keystroke record software. Antivirus vendors have trouble detecting rootkits. Microsoft and F-secure claim that they have the applications that can detect their presence.