Zero Day_ A Novel - Mark Russinovich [10]
Sitting down at her computer beside him, Sue frowned and said, “Call me Miss Unpopular. They act as if I put the damn virus in myself.” She looked at his screen. “Getting anything?”
Jeff told her what he’d done and seen so far.
“I need me one of those nifty boot CDs you’ve got.”
Jeff smiled, suddenly looking twelve years old. “You’ll have to kill me to get it.” The CD was the result of thousands of hours of hard work, and in many cases it was what made his success on a job possible. He’d once joked he planned to be buried with it. “What will you work on?” he asked her.
Sue pursed her lips. “I’m going to spin my wheels, probably—analyzing the firewall and proxy server logs, if that makes sense to you.” Jeff nodded. That area had to be covered, and it would save time if she did it. “Maybe I’ll stumble onto something useful. This is not my field at all.”
“You might get lucky,” Jeff encouraged her. As Sue set to work, he ran a salvaging tool that could make guesses and ignore what would otherwise look like errors. With this he had more success, since it was able to provide him a view of files and folders previously not visible.
Now able to scan through what was left of the disk’s data, Jeff searched for the files that contained the core configuration of the system. What he found instead were bits and pieces of the original operating system and temporary copies of portions of program data. Though he was disappointed, he was still able to reconstruct a portion of the file system and registry with its database, which stored settings and various options for the computer’s operating system. At least it’s a start, he thought.
Next he skimmed through the corrupted registry entries. It was a bit like scanning the television guide to see what was on, rather than watching an evening of programs. He found that part of the data was overwritten, a standard means of destruction. Random symbols had been written over the existing data, making it difficult, sometimes impossible, to recover the original data. Peculiarly, though, only a portion of the original data had been overwritten. If that had been the purpose of the virus, Jeff thought, the job was incomplete.
Several explanations were possible. The most obvious was the presence of a destructive virus that had its overwriting operation aborted by a bug in the virus itself. The virus might have triggered behavior that resulted in the operating system’s becoming corrupted, which had then stopped the virus and the overwriting dead in its tracks. Not very sophisticated, if that was what had happened.
A truly effective virus would never kill the driver or operating system that served as its host. That would be like a disease killing someone before it could infect anyone else. The most effective viruses were those that existed on computers with the operators never knowing any better. Before the operating system was destroyed, such a worm would be seeking to replicate and spread itself, though slowly, so as to escape detection. But in this case some part of it had nuked the system, in effect committing suicide.
Now Jeff scanned the corrupted registry file settings. Malware commonly created entries so that the operating system activated them each time the computer was turned on, or whenever a user logged in. He examined every entry that looked even remotely suspicious. When he located a reference to a program or piece of code he didn’t recognize, he found the code’s file and examined it further, looking to see if the file provided the product it was associated with and the company that wrote it, since malware typically lacked such information.
Then he performed Web searches to find information about the file’s purpose, to see if anybody had previously flagged it as malware. Tedious and time-consuming, this formed the heart of what he did each day at work when on jobs like this. That initial