Zero Day: A Novel

Home > Other > Zero Day: A Novel > Page 3
Zero Day: A Novel Page 3

by Mark Russinovich


  “I doubt that it was your fault,” Jeff reassured her. “I’m seeing more and more of this sort of thing. Malware is more easily finding ways into once secure computer systems. Viruses of all kinds are simply getting more sophisticated.”

  Sue sighed. “I warned him last year not to go all electronic. He didn’t listen. We had a small accounting department then, run by a blue-haired lady who was the firm’s first hire forty years ago. Though everything was on computers, she insisted on running billing-record hard copies every night. Greene thought the size of her department was a needless expense, and so was all that paper. She was retired, her department was reduced to two, and no more hard copies. I warned him.”

  “There’s nothing worse than being right when your boss is wrong.”

  Sue looked at Jeff sideways, with a sly smile, and that shine in her eyes. “Sounds like you’ve been there.”

  Jeff closed his eyes for a moment and drew a deep breath before turning back to Sue. “It shows, huh? What did you see when you tried to boot? Exactly.”

  “Like I told you Saturday night, I couldn’t get into the system and decided immediately not to waste any more time trying. I’m really just a systems manager.” Sue shrugged apologetically. “My primary job is to keep everything running smoothly and make certain there are no hiccups. Security is part of it, of course, but it’s limited to updated antivirus software, patching, and a firewall. Our primary problems have been viruses associates bring in from home on their laptops, or employees opening attachments from spam. Nothing I couldn’t handle until now. To my knowledge, nothing ever made it into the servers.”

  “Have you contacted the firm’s bank?” She shook her head. “You need to,” Jeff advised. “You should shut down Internet access to your account until this is solved. It’s possible that’s what this was all about. We can’t know how much information they extracted before the system froze.”

  “I’m on it,” she said, her cell phone already out. Near the ladies’ room he watched her speak intensely; then put the phone away and go through the door. As he waited, Jeff geared himself up for what he had to do. A few minutes later Sue returned, makeup freshly applied, her lips repainted that bright crimson. “Thanks,” she said. “I should have thought of that on my own. They’re taking care of it right now.”

  “There’s more.” Jeff was never comfortable with this aspect of his job. He hated being the bearer of bad news. “I’m sorry to say that you’re going to have to unplug all the servers and every computer from the network. We have to assume they’re infected, even though you’ve detected nothing—which would mean that at this point they’re serving as a breeding ground, propagating the worm. That means your lawyers will lose their e-mail.”

  Sue moaned. “Let me show you to your workstation, then I’ll take care of it.”

  The IT Center was located in an undesirable area of the building. Windowless, with monitors, computers, and cables running helter-skelter, a dry static sensation in the still air, it was a copy of hundreds of other such offices Jeff had seen. Sue introduced him to her assistant, Harold, a short, nerdy young man wearing a Yankees baseball cap with the brim backward. He was playing a video game on what looked like a personal laptop. As they entered, he hurriedly put it away.

  “What are you playing?” Jeff asked. His secret vice was action video games.

  “Uh, Mega Destructor III.”

  Jeff nodded approvingly. “I’ve got MD IV in beta. I’ll burn you a copy.”

  The young man grinned.

  Sue shook her head. “Boys.”

  Jeff grinned. “What can I say?”

  Standing with one hand on her hip, Sue explained the system, gesturing with her free hand. “Every lawyer has a desktop PC and a laptop. This is the server room with four blade servers. We use one as our Web server, another as a backup domain controller, and so on. The primary one, with our litigation records and accounting, is the one that’s down. We run a standard networking program, Active Directory, and are connected to the office PCs.” What she described appeared identical to other systems on which Jeff had worked. In theory that should make this job a bit easier than it initially sounded, he thought. But in reality? Jeff was too experienced ever to expect a free ride.

  “All right. I’ll get started,” he said, looking for a place to set up. “Which one should I use?” Sue pointed as he reached down and opened his work bag, extracting a black CD case filled with a wide range of disks, which he referred to as his Swiss army knife. As he began, Sue left to inform everyone they were now off-line for the duration, at least at the office. Harold moved a chair over so he could watch what Jeff was doing.

  “It’s good to get some action,” Harold said with a smile. “I’m pretty bored playing games.”

  “Glad to have you. I’m going to need your help if we’re to get this fixed.” Jeff’s CD included the standard diagnostic and recovery tools used by everyone in his profession, but he’d added a collection of utilities he’d picked up over time. This was the disk that would allow him to boot and provide a minimal environment from which he could work, since the computer was no longer making one available.

  As he slid the disk into the server’s optical drive, his first thought was that whatever had occurred here was caused by any one of the thousands of new variants of existing viruses that appeared routinely, as many as fifty a month. He hoped that it was a new version of an existing virus, set loose by some student hacker looking for bragging rights. Something like that could have crept under Sue’s radar. Even in that eventuality it could still be a difficult job, but one he could manage. There’d likely be full, or nearly full, recovery because the data the company needed would still be somewhere in the server.

  But once his own operating system was running, the first thing Jeff noted was that he couldn’t detect any data on the hard disk. It was as if the disk had never had an operating system installed. Even the standard C: drive icon was missing. He’d never seen this before and he experienced a sudden chill. How can this be? he thought. This wasn’t going to be routine after all, he realized, feeling both exhilarated and apprehensive.

  Sitting down at her computer beside him, Sue frowned and said, “Call me Miss Unpopular. They act as if I put the damn virus in myself.” She looked at his screen. “Getting anything?”

  Jeff told her what he’d done and seen so far.

  “I need me one of those nifty boot CDs you’ve got.”

  Jeff smiled, suddenly looking twelve years old. “You’ll have to kill me to get it.” The CD was the result of thousands of hours of hard work, and in many cases it was what made his success on a job possible. He’d once joked he planned to be buried with it. “What will you work on?” he asked her.

  Sue pursed her lips. “I’m going to spin my wheels, probably—analyzing the firewall and proxy server logs, if that makes sense to you.” Jeff nodded. That area had to be covered, and it would save time if she did it. “Maybe I’ll stumble onto something useful. This is not my field at all.”

  “You might get lucky,” Jeff encouraged her. As Sue set to work, he ran a salvaging tool that could make guesses and ignore what would otherwise look like errors. With this he had more success, since it was able to provide him a view of files and folders previously not visible.

  Now able to scan through what was left of the disk’s data, Jeff searched for the files that contained the core configuration of the system. What he found instead were bits and pieces of the original operating system and temporary copies of portions of program data. Though he was disappointed, he was still able to reconstruct a portion of the file system and registry with its database, which stored settings and various options for the computer’s operating system. At least it’s a start, he thought.

  Next he skimmed through the corrupted registry entries. It was a bit like scanning the television guide to see what was on, rather than watching an evening of programs. He found that part of the data was overwritten, a standard means of destruction. Random
symbols had been written over the existing data, making it difficult, sometimes impossible, to recover the original data. Peculiarly, though, only a portion of the original data had been overwritten. If that had been the purpose of the virus, Jeff thought, the job was incomplete.

  Several explanations were possible. The most obvious was the presence of a destructive virus that had its overwriting operation aborted by a bug in the virus itself. The virus might have triggered behavior that resulted in the operating system’s becoming corrupted, which had then stopped the virus and the overwriting dead in its tracks. Not very sophisticated, if that was what had happened.

  A truly effective virus would never kill the driver or operating system that served as its host. That would be like a disease killing someone before it could infect anyone else. The most effective viruses were those that existed on computers with the operators never knowing any better. Before the operating system was destroyed, such a worm would be seeking to replicate and spread itself, though slowly, so as to escape detection. But in this case some part of it had nuked the system, in effect committing suicide.

  Now Jeff scanned the corrupted registry file settings. Malware commonly created entries so that the operating system activated them each time the computer was turned on, or whenever a user logged in. He examined every entry that looked even remotely suspicious. When he located a reference to a program or piece of code he didn’t recognize, he found the code’s file and examined it further, looking to see if the file provided the product it was associated with and the company that wrote it, since malware typically lacked such information.

  Then he performed Web searches to find information about the file’s purpose, to see if anybody had previously flagged it as malware. Tedious and time-consuming, this formed the heart of what he did each day at work when on jobs like this. That initial flash of excitement he’d experienced waned as exhaustion began to overtake him again. Working while exhausted was typical, though. In these situations, time counted for everything. Yet so far, nothing.

  Two hours later, Jeff finally got a break when he came upon a reference to a device driver that appeared suspicious. Device drivers were programs that allowed other programs to interact with a bit of hardware, such as a printer, and were attractive to malware authors because they could be leveraged to create spyware, viruses, and adware that hid from standard security protections. Most home PCs had some form of these types of malware without the owner even knowing it.

  All device drivers had information that included the path to the file on the disk that contained the driver’s code, so Jeff was able to locate the driver image in question without any trouble. One, ipsecnat.sys, had a name that looked similar to that of a legitimate and standard driver, but he didn’t recognize it. When he examined it, the file’s version information reported itself as being from Microsoft, but a Web search turned up no hits on a driver by that name. Score one for my team, he thought.

  Reinvigorated, Jeff loaded the driver into a code analyzer that allowed him to see a human-readable version of the instructions that the computer executed. Analyzing malware at this level was a big part of his job, so he could run through the instructions in his head the same way the computer would. This way he was able to understand its overall purpose.

  He read:

  .text:00000000007B35D8 xor [rcx + 30h], rdx

  .text:00000000007B35DC xor [rcx + 38h], rdx

  .text:00000000007B35E0 xor [rcx + 40h], rdx

  .text:00000000007B35E4 xor [rcx + 48h], rdx

  .text:00000000007B35E8 xor [rcx], edx

  .text:00000000007B35EA mov rax, rdx

  .text:00000000007B35ED mov rdx, rcx

  .text:00000000007B35F0 mov ecx, [rdx + 4Ch]

  .text:00000000007B35F3 loc_7B35F3:

  .text:00000000007B35F3 xor [rdx + rcx*8 + 48h], rax

  .text:00000000007B35F8 ror rax, cl

  .text:00000000007B35FB loop loc_7B35F3

  .text:00000000007B35FD mov eax, [rdx + 190h]

  .text:00000000007B3603 add rax, rdx

  .text:00000000007B3606 jmp rax

  When he finished, Jeff was thoroughly alert. The code was obviously encrypted. Viruses often encrypted themselves to make it time-consuming, or even impossible, for virus scanners to unravel the core code. The malware decrypted itself into memory when launched, which could take up to several seconds because of the levels and complexity of the encryption scheme employed. That was why a slowly booting computer was often a sign of infection.

  The next three hours flew by as Jeff tried to match the encryption algorithm used by the hacker against those commonly employed by malware authors. Finally, he decided that he was looking at something new. This part of his work was like a puzzle to him, one in which he pitted his own creativity and determination against that of the hacker. In its own way it was not so different from the most difficult computer games he played except that real stakes were involved here. Knowing that kept Jeff’s excitement tamped down, though he couldn’t resist a mental pat on the back before continuing.

  As a precaution, he set up what was essentially a “virtual” computer that allowed him to examine the virus in operation, but at a much slower pace. The virtual computer behaved exactly like a real one and, to the user, looked like the screen of a real computer displayed in a window on their desktop. But the virtual computer gave Jeff great control over the process since he was able to control execution of the malware, starting and stopping it as needed. In this way, he hoped to be able to unravel the code.

  Next he dropped the code onto the disk as an unencrypted copy of the driver. Completely consumed, he lost all touch with day and night. Even Sue didn’t exist as a person. She vanished from his world, though she sat next to him. He was neither thirsty nor hungry. He felt no discomfort in his body.

  It often seemed to him, during a job like this, that he’d been born for this work, such was his capacity to shut out everything else. For him a computer problem was like solving a brain teaser, and he loved games. He also hated being defeated. The real world could be chaotic and violent and frequently felt, at least to him, to be out of his control. But with work he could understand a computer, even the viruses that attacked them. Success here was clearly defined: when he was finished, the computer either worked or it didn’t.

  Right now his only world was the one on the screens before him.

  5

  DEPARTMENT OF HOMELAND SECURITY, WASHINGTON, D.C.

  DIVISION OF COUNTER CYBERTERRORISM

  MONDAY, AUGUST 14

  9:51 A.M.

  “I don’t get the connection,” George Carlton said as he leaned back in his chair, eyeing with cautious pleasure the woman seated before him.

  Dr. Daryl Haugen, dressed casually in jeans and a snug blouse, paused before responding. Slender and just over average height, with a fair complexion and blond, shoulder-length hair, she was stunningly attractive. The way Carlton eyed her while pretending he was not was a reaction she’d grown accustomed to as a teenager. A computer science graduate of MIT and thirty-five years old that July, she’d worked hard to be taken for what she was, much more than a pretty bauble on a man’s arm. Men such as Carlton, who acted as though they took her seriously when all they really were interested in was her butt, rubbed her the wrong way. But what she had to get across to him was too important for her to waste time getting angry over his juvenile chauvinism.

  “We’ve come up with eight incidents so far,” she said, leaning forward to emphasize her point. “The most deadly was at a hospital in New York City. The computer glitch there appears to have caused four deaths from misapplied medications. There are similar reports out of several hospitals in other boroughs.”

  “What about these other incidents?” Carlton leafed through the papers as if searching for something specific, then stopped in apparent frustration. “I’ve read your report. Frankly, I don’t see a connection between any of them, and I certainly don’t see a national security issue. As you know, during my tenure her
e we’ve made significant strides in combating computer viruses, especially when they target government or military computers.”

  Daryl sighed to herself. Not that again, she thought. “I can’t be certain, but it looks like more than one virus. It’s odd, striking like this in so many seemingly unrelated places, and being so deadly.” She wrinkled her brow. “The viruses were also in systems that should have excluded them. We need to understand quickly why they didn’t. We have no idea how many of them are out there, or how they spread. If they’re commonly on the Internet—and this assumes we’re dealing with more than one and not a single virus with different manifestations—they’re going to cause a lot of trouble, not just in home and business computers but in government and military ones as well.”

  “Well, that’s good,” Carlton said.

  “Excuse me?”

  “I mean that they are going after computers in which my department has a direct concern,” he said hastily. “Not that the viruses are good as such.”

  Daryl bit her tongue. She needed this fool’s help.

  “I’m saying that’s the kind of thing we are so effective at interdicting,” Carlton added, dragging his eyes away from her chest. He’d first met Daryl when she’d worked at the National Security Agency in 2000. She’d been assigned to liaison with his Cyberterrorism–Computer Forensics Department at the CIA. She’d been unexpectedly forthcoming, even providing some source data they’d lacked, which proved quite accurate. But the best part of the arrangement had been her drop-dead looks. He’d suggested drinks more than once, but got nowhere. Neither had anyone else in the department.

  He’d been more than pleased when he learned that she’d left NSA and was now assistant deputy executive director CISU (Computer Infrastructure Security Unit)/DHS and head of a team at US-CERT (Computer Emergency Readiness Team), which technically reported to him at DHS, where he was now chief of counter cyberterrorism. US-CERT was expected to operate independently, alerting him only when they came upon an issue of national security. This was the first time she’d ever asked to work in the field. He doubted he even had the authority to refuse, but he was damned if he was going to acknowledge any limits to his power.

 

‹ Prev