Zero Day_ A Novel - Mark Russinovich [41]
Worse, the numbers were likely far greater, since so many individuals and companies had no idea their systems had been hacked. The government was largely unconcerned, or unknowing, for the DHS research budget for cyber-security had been cut to just $16 million.
Basically, it is so damn simple, Jeff thought. Viruses found their path into computers in two ways. They could enter through a vulnerability in an application or within the operating system itself, or they could inadvertently be downloaded by the computer user, who was tricked into manually running the virus, believing it was something it was not.
Regardless of the method for contamination, the virus would make its way freely into thousands of computers undetected before one of the security companies’ honeypots, computers left online with no protection, attracted the virus. Thereafter, it could take several hours to several days for an antivirus company to create a signature and deliver it, known as a rollout, to their customers. Once loaded, antivirus software prevented the virus from executing, so the user with the program installed was safe against the virus, no matter how the contamination occurred. The antivirus software on customer systems usually checked for the updates once per day, though automatic updates were often never turned on by owners.
When a virus that exploited a new vulnerability was discovered, the antivirus company also notified the software vendor whose product contained the vulnerability so it could prepare a fix, known as a patch. To create, test, and make the patch available, the vendor would take anywhere from a few days, in the most critical cases, to weeks or even months, for vulnerabilities that were less critical.
In both cases the patch was rolled out to customers over a period of days. It could be months before most customers installed the patch, and many companies or individuals never installed it at all. When a particularly risky vulnerability was identified, vendors sent security bulletins to customers advising them to manually download and apply the patch rather than wait for the automated update.
The security companies were always playing catch-up. A new risk existed for a minimum of a few days to weeks. The system, if that’s what it could be called, left a surprisingly large number of computers susceptible, even to viruses that had long been identified.
The situation was magnified because most home users didn’t possess a security system, and if they did, they let its license expire, leaving the system exposed. Government computers were no less vulnerable. It was well known that the Chinese had obtained an enormous amount of U.S. national security data by entering computers believed to be secure. Other governments were doing the same thing. It was cheaper, and more effective, to hire hackers to work the Internet than to recruit, train, and support spies or to pay traitors.
Because of all this Jeff had no lack of work, particularly since his reputation preceded him into the market. Increasingly, however, he was seeing malware that traveled under the radar, destructive code that insinuated itself into computers without detection. It wasn’t necessary to open an e-mail or even to neglect your antivirus software. All you had to do was connect to the Internet and the malware found you, if you had a vulnerability.
The truly destructive viruses, those that stole financial records, destroyed systems, and such, were more often like subterranean trolls. They were unleashed by their creators, or by someone working with them, and flashed across the core of the Internet, seeking a way to enter a computer by exploiting a vulnerability, an error or pathway inadvertently left open in one of its programs.
The viruses were always there, permanent, relentless. They never tired, never became frustrated, required no fresh direction. As they pressed their electronic nose to