Zero Day_ A Novel - Mark Russinovich [45]
The next step was to run a number of advanced security tools, searching for evidence of code that would activate the rootkit at each booting. It came up empty. Then Jeff dumped the service-table contents, studying them carefully. Each should point at addresses within the Windows kernel, but within minutes he found two that did not. One of the intercepting functions was part of the ipsecnat.sys device driver that he had been studying. Now he knew which driver implemented cloaking. At least now I can see if I can disable the cloak and expose whatever it’s hiding, Jeff thought. Opening a command prompt, Jeff entered the hidden directory.
The sophistication of this rootkit was troubling, he realized, especially when compared to what appeared to be the cut-and-paste construction of the part of the actual virus he’d examined so far. The rootkit was lean and cleverly fabricated. Jeff paused for a moment to reflect. What the malware was suggesting to him was at least two creators. That might be significant; then again, it might not. A basic cracker might have created the virus, then found the slick rootkit to hide it. He couldn’t imagine anyone skilled enough to build this rootkit unleashing such a hack job of a virus. He wouldn’t be able to resist cleansing the code. What if they’re working together? he thought, wondering what the implications of that might be.
Jeff took a moment to text Daryl, informing her of the rootkit. A few minutes later she responded with a single word: “Shit!” No kidding, Jeff thought, before turning back to his work.
Next he stepped instruction by instruction through the driver, trying to discern the goal of the virus, without luck. Then it occurred to him there might be more than one, so he examined the assembly language he’d generated earlier. This was extraordinarily time-consuming. Long, exhausting hours dragged by as he threw himself into the brain-taxing exercise. When he could go on no longer, he slept on the couch rather than return to his hotel. At some point Sue returned. Harold appeared and began bringing them food at regular intervals, though Jeff couldn’t have told anyone what he ate if his life depended on it.
One of the major problems he was up against, Jeff realized, was that he couldn’t tell what kind of external influences were normally involved in this suspect driver’s operation. Perhaps the driver had a helper program or some other external stimuli that caused its payload to trigger. Or it might have been something within the virus code itself, even a standard mechanism in the computer’s operating system. So far he’d found nothing to tell him why the virus had been unleashed nor anything to hint at what the purpose had been beyond simple destruction.
Was this a financial operation launched by Russians? Or had it been a simple shotgun attack meant to cause immediate widespread destruction? He simply couldn’t tell. He was burrowing deeper and deeper into decrypting the driver, but still lacked the answers he sought to tell him how the virus actually ran when it was “live.”
Just when he thought he wouldn’t be able to restrain himself from picking up the computer and throwing it across the room, Jeff came across something that promised to be interesting. Even though the driver had decrypted much of itself, when it launched, it still left pieces of itself encrypted. With some effort he coaxed the driver into executing certain code sequences that decrypted more of itself.
The newly decrypted code sequence referred to another driver with a more sinister name, bioswipe.sys, that it expected to be able to extract from itself and execute. However, the second