Zero Day_ A Novel - Mark Russinovich [11]
Two hours later, Jeff finally got a break when he came upon a reference to a device driver that appeared suspicious. Device drivers were programs that allowed other programs to interact with a bit of hardware, such as a printer, and were attractive to malware authors because they could be leveraged to create spyware, viruses, and adware that hid from standard security protections. Most home PCs had some form of these types of malware without the owner even knowing it.
All device drivers had information that included the path to the file on the disk that contained the driver’s code, so Jeff was able to locate the driver image in question without any trouble. One, ipsecnat.sys, had a name that looked similar to that of a legitimate and standard driver, but he didn’t recognize it. When he examined it, the file’s version information reported itself as being from Microsoft, but a Web search turned up no hits on a driver by that name. Score one for my team, he thought.
Reinvigorated, Jeff loaded the driver into a code analyzer that allowed him to see a human-readable version of the instructions that the computer executed. Analyzing malware at this level was a big part of his job, so he could run through the instructions in his head the same way the computer would. This way he was able to understand its overall purpose.
He read:
.text:00000000007B35D8 xor [rcx + 30h], rdx
.text:00000000007B35DC xor [rcx + 38h], rdx
.text:00000000007B35E0 xor [rcx + 40h], rdx
.text:00000000007B35E4 xor [rcx + 48h], rdx
.text:00000000007B35E8 xor [rcx], edx
.text:00000000007B35EA mov rax, rdx
.text:00000000007B35ED mov rdx, rcx
.text:00000000007B35F0 mov ecx, [rdx + 4Ch]
.text:00000000007B35F3 loc_7B35F3:
.text:00000000007B35F3 xor [rdx + rcx*8 + 48h], rax
.text:00000000007B35F8 ror rax, cl
.text:00000000007B35FB loop loc_7B35F3
.text:00000000007B35FD mov eax, [rdx + 190h]
.text:00000000007B3603 add rax, rdx
.text:00000000007B3606 jmp rax
When he finished, Jeff was thoroughly alert. The code was obviously encrypted. Viruses often encrypted themselves to make it time-consuming, or even impossible, for virus scanners to unravel the core code. The malware decrypted itself into memory when launched, which could take up to several seconds because of the levels and complexity of the encryption scheme employed. That was why a slowly booting computer was often a sign of infection.
The next three hours flew by as Jeff tried to match the encryption algorithm used by the hacker against those commonly employed by malware authors. Finally, he decided that he was looking at something new. This part of his work was like a puzzle to him, one in which he pitted his own creativity and determination against that of the hacker. In its own way it was not so different from the most difficult computer games he played except that real stakes were involved here. Knowing that kept Jeff’s excitement tamped down, though he couldn’t resist a mental pat on the back before continuing.
As a precaution, he set up what was essentially a “virtual” computer that allowed him to examine the virus in operation, but at a much slower pace. The virtual computer behaved exactly like a real one and, to the user, looked like the screen of a real computer displayed in a window on their desktop. But the virtual computer gave Jeff great control over the process since he was able to control execution of the malware, starting and stopping it as needed. In this way, he hoped to be able to unravel the code.
Next he dropped the code onto the disk as an unencrypted copy of the driver. Completely consumed, he lost all touch with day and night. Even Sue didn’t exist as a person. She vanished from his world, though she sat next to him. He was neither thirsty nor hungry. He felt no discomfort in his body.
It often seemed to him, during a job like this, that he’d been born for this