Zero Day_ A Novel - Mark Russinovich [44]
Melek returned to her computer. “Saðol,” she told Elaltuntas with a smile. He smiled back. She’d never know how she’d just thanked him for what he’d placed into her computer, not unless she was secretly controlling a nuclear power plant.
17
MANHATTAN, NYC
IT CENTER
FISCHERMAN, PLATT & COHEN
TUESDAY, AUGUST 15
6:09 P.M.
Jeff walked to the law firm’s building from his hotel, enjoying Manhattan in the early-evening hours of a late summer day. He passed joggers, restaurant owners setting up chairs and tables outside, office workers rushing for home or to join someone for a drink and conversation. Picking up a double latte and toasted bagel, he crossed the marbled lobby, then took the elevator to the law firm’s offices on the twenty-second floor.
He entered the IT Center quietly in the event Sue was asleep but found himself alone. Jeff took his place and inserted the driver in the virtual machine. To see what the driver was doing, however, Jeff needed to use a kernel debugger. He set break points so that the machine would stop when it reached points where Jeff believed he might be able to study the driver’s operation.
Going this far was both good and bad. Good in the sense he hoped to produce something useful; bad in that he was forced to go so far searching for answers. But something important was eluding him, perhaps more than a single something. The only truly good thing about all this he could point to was that Daryl was at least as fully engaged and she had far greater resources than he did.
The system ran a moment; then Windows hit a break point and the debugger stopped the virtual machine, putting it in a form of electronic suspended animation. Jeff read the script, then entered a g for “go” to allow the driver to continue. A few minutes later he reached his fourth break point. Examining the standard Windows-system data structures on the screen, Jeff noticed that the driver had made modifications to the control flow of several functions used by applications to list the drivers loaded on a system. He launched a device-driver listing diagnostic tool, but saw no sign of the driver he was studying. The driver had intercepted the utility’s query and stripped the driver from the list before returning the data.
“Shit,” he muttered under his breath. The bastard’s using a rootkit.
Once rare, rootkits were becoming increasingly common in malware, since they allowed malware to be hidden from security tools. With a sinking heart he understood now what he was up against. Part of the virus, or another one altogether, was hidden from him.
Rootkits weren’t limited to malware. In 2005, Sony had released a range of CDs that were designed to prevent excessive duplication. The End User License Agreement accompanying them was not complete in that it failed to inform customers that the CD was installing a rootkit onto their personal computer. More than 2 million CDs were shipped with the rootkit, promptly dubbed malware by computer experts who detected its presence. More than half a million customers innocently placed the hidden code deep within their computer’s operating system.
The affair turned into a fiasco for Sony. Early attempts to delete the rootkit disabled the computer’s ability to play any CD and, worse, caused the computer to crash. The rootkit was also not very well written. Hackers soon found they could attach viruses to it, using Sony’s own software to cloak them from detection. Sony was forced by a public uproar to recall the CDs and make a removal patch available, but the harm to the company’s reputation was done. A major international corporation had publicly been branded with employing hacker code. The long-term consequences were incalculable.
Jeff ran a rootkit detection program, then cursed again. There on the screen was unmistakable evidence