Zero Day: A Novel (4 page)

Read Zero Day: A Novel Online

Authors: Mark Russinovich,Howard Schmidt

Tags: #Cyberterrorism, #Men's Adventure, #Technological.; Bisacsh, #Thrillers.; Bisacsh, #Suspense, #Technological, #Thrillers, #Suspense Fiction, #Fiction, #Espionage

BOOK: Zero Day: A Novel
12.57Mb size Format: txt, pdf, ePub

“It’s good to get some action,” Harold said with a smile. “I’m pretty bored playing games.”

“Glad to have you. I’m going to need your help if we’re to get this fixed.” Jeff’s CD included the standard diagnostic and recovery tools used by everyone in his profession, but he’d added a collection of utilities he’d picked up over time. This was the disk that would allow him to boot and provide a minimal environment from which he could work, since the computer was no longer making one available.

As he slid the disk into the server’s optical drive, his first thought was that whatever had occurred here was caused by any one of the thousands of new variants of existing viruses that appeared routinely, as many as fifty a month. He hoped that it was a new version of an existing virus, set loose by some student hacker looking for bragging rights. Something like that could have crept under Sue’s radar. Even in that eventuality it could still be a difficult job, but one he could manage. There’d likely be full, or nearly full, recovery because the data the company needed would still be somewhere in the server.

But once his own operating system was running, the first thing Jeff noted was that he couldn’t detect
any
data on the hard disk. It was as if the disk had never had an operating system installed. Even the standard
C:
drive icon was missing. He’d never seen this before and he experienced a sudden chill.
How can this be?
he thought. This wasn’t going to be routine after all, he realized, feeling both exhilarated and apprehensive.

Sitting down at her computer beside him, Sue frowned and said, “Call me Miss Unpopular. They act as if I put the damn virus in myself.” She looked at his screen. “Getting anything?”

Jeff told her what he’d done and seen so far.

“I need me one of those nifty boot CDs you’ve got.”

Jeff smiled, suddenly looking twelve years old. “You’ll have to kill me to get it.” The CD was the result of thousands of hours of hard work, and in many cases it was what made his success on a job possible. He’d once joked he planned to be buried with it. “What will you work on?” he asked her.

Sue pursed her lips. “I’m going to spin my wheels, probably—analyzing the firewall and proxy server logs, if that makes sense to you.” Jeff nodded. That area had to be covered, and it would save time if she did it. “Maybe I’ll stumble onto something useful. This is
not
my field at all.”

“You might get lucky,” Jeff encouraged her. As Sue set to work, he ran a salvaging tool that could make guesses and ignore what would otherwise look like errors. With this he had more success, since it was able to provide him a view of files and folders previously not visible.

Now able to scan through what was left of the disk’s data, Jeff searched for the files that contained the core configuration of the system. What he found instead were bits and pieces of the original operating system and temporary copies of portions of program data. Though he was disappointed, he was still able to reconstruct a portion of the file system and registry with its database, which stored settings and various options for the computer’s operating system.
At least it’s a start,
he thought.

Next he skimmed through the corrupted registry entries. It was a bit like scanning the television guide to see what was on, rather than watching an evening of programs. He found that part of the data was overwritten, a standard means of destruction. Random symbols had been written over the existing data, making it difficult, sometimes impossible, to recover the original data. Peculiarly, though, only a portion of the original data had been overwritten. If that had been the purpose of the virus, Jeff thought, the job was incomplete.

Several explanations were possible. The most obvious was the presence of a destructive virus that had its overwriting operation aborted by a bug in the virus itself. The virus might have triggered behavior that resulted in the operating system’s becoming corrupted, which had then stopped the virus and the overwriting dead in its tracks. Not very sophisticated, if that was what had happened.

A truly effective virus would never kill the driver or operating system that served as its host. That would be like a disease killing someone before it could infect anyone else. The most effective viruses were those that existed on computers with the operators never knowing any better. Before the operating system was destroyed, such a worm would be seeking to replicate and spread itself, though slowly, so as to escape detection. But in this case some part of it had nuked the system, in effect committing suicide.

Now Jeff scanned the corrupted registry file settings. Malware commonly created entries so that the operating system activated them each time the computer was turned on, or whenever a user logged in. He examined every entry that looked even remotely suspicious. When he located a reference to a program or piece of code he didn’t recognize, he found the code’s file and examined it further, looking to see if the file provided the product it was associated with and the company that wrote it, since malware typically lacked such information.

Then he performed Web searches to find information about the file’s purpose, to see if anybody had previously flagged it as malware. Tedious and time-consuming, this formed the heart of what he did each day at work when on jobs like this. That initial flash of excitement he’d experienced waned as exhaustion began to overtake him again. Working while exhausted was typical, though. In these situations, time counted for everything. Yet so far, nothing.

Two hours later, Jeff finally got a break when he came upon a reference to a device driver that appeared suspicious. Device drivers were programs that allowed other programs to interact with a bit of hardware, such as a printer, and were attractive to malware authors because they could be leveraged to create spyware, viruses, and adware that hid from standard security protections. Most home PCs had some form of these types of malware without the owner even knowing it.

All device drivers had information that included the path to the file on the disk that contained the driver’s code, so Jeff was able to locate the driver image in question without any trouble. One, ipsecnat.sys, had a name that looked similar to that of a legitimate and standard driver, but he didn’t recognize it. When he examined it, the file’s version information reported itself as being from Microsoft, but a Web search turned up no hits on a driver by that name.
Score one for my team,
he thought.

Reinvigorated, Jeff loaded the driver into a code analyzer that allowed him to see a human-readable version of the instructions that the computer executed. Analyzing malware at this level was a big part of his job, so he could run through the instructions in his head the same way the computer would. This way he was able to understand its overall purpose.

He read:

.text:00000000007B35D8 xor [rcx + 30h], rdx

.text:00000000007B35DC xor [rcx + 38h], rdx

.text:00000000007B35E0 xor [rcx + 40h], rdx

.text:00000000007B35E4 xor [rcx + 48h], rdx

.text:00000000007B35E8 xor [rcx], edx

.text:00000000007B35EA mov rax, rdx

.text:00000000007B35ED mov rdx, rcx

.text:00000000007B35F0 mov ecx, [rdx + 4Ch]

.text:00000000007B35F3 loc_7B35F3:

.text:00000000007B35F3 xor [rdx + rcx*8 + 48h], rax

.text:00000000007B35F8 ror rax, cl

.text:00000000007B35FB loop loc_7B35F3

.text:00000000007B35FD mov eax, [rdx + 190h]

.text:00000000007B3603 add rax, rdx

.text:00000000007B3606 jmp rax

When he finished, Jeff was thoroughly alert. The code was obviously encrypted. Viruses often encrypted themselves to make it time-consuming, or even impossible, for virus scanners to unravel the core code. The malware decrypted itself into memory when launched, which could take up to several seconds because of the levels and complexity of the encryption scheme employed. That was why a slowly booting computer was often a sign of infection.

The next three hours flew by as Jeff tried to match the encryption algorithm used by the hacker against those commonly employed by malware authors. Finally, he decided that he was looking at something new. This part of his work was like a puzzle to him, one in which he pitted his own creativity and determination against that of the hacker. In its own way it was not so different from the most difficult computer games he played except that real stakes were involved here. Knowing that kept Jeff’s excitement tamped down, though he couldn’t resist a mental pat on the back before continuing.

As a precaution, he set up what was essentially a “virtual” computer that allowed him to examine the virus in operation, but at a much slower pace. The virtual computer behaved exactly like a real one and, to the user, looked like the screen of a real computer displayed in a window on their desktop. But the virtual computer gave Jeff great control over the process since he was able to control execution of the malware, starting and stopping it as needed. In this way, he hoped to be able to unravel the code.

Next he dropped the code onto the disk as an unencrypted copy of the driver. Completely consumed, he lost all touch with day and night. Even Sue didn’t exist as a person. She vanished from his world, though she sat next to him. He was neither thirsty nor hungry. He felt no discomfort in his body.

It often seemed to him, during a job like this, that he’d been born for this work, such was his capacity to shut out everything else. For him a computer problem was like solving a brain teaser, and he loved games. He also hated being defeated. The real world could be chaotic and violent and frequently felt, at least to him, to be out of his control. But with work he could understand a computer, even the viruses that attacked them. Success here was clearly defined: when he was finished, the computer either worked or it didn’t.

Right now his only world was the one on the screens before him.

5

DEPARTMENT OF HOMELAND SECURITY, WASHINGTON, D.C.

DIVISION OF COUNTER CYBERTERRORISM

MONDAY, AUGUST 14

9:51 A.M.

“I don’t get the connection,” George Carlton said as he leaned back in his chair, eyeing with cautious pleasure the woman seated before him.

Dr. Daryl Haugen, dressed casually in jeans and a snug blouse, paused before responding. Slender and just over average height, with a fair complexion and blond, shoulder-length hair, she was stunningly attractive. The way Carlton eyed her while pretending he was not was a reaction she’d grown accustomed to as a teenager. A computer science graduate of MIT and thirty-five years old that July, she’d worked hard to be taken for what she was, much more than a pretty bauble on a man’s arm. Men such as Carlton, who acted as though they took her seriously when all they really were interested in was her butt, rubbed her the wrong way. But what she had to get across to him was too important for her to waste time getting angry over his juvenile chauvinism.

“We’ve come up with eight incidents so far,” she said, leaning forward to emphasize her point. “The most deadly was at a hospital in New York City. The computer glitch there appears to have caused four deaths from misapplied medications. There are similar reports out of several hospitals in other boroughs.”

“What about these other incidents?” Carlton leafed through the papers as if searching for something specific, then stopped in apparent frustration. “I’ve read your report. Frankly, I don’t see a connection between any of them, and I certainly don’t see a national security issue. As you know, during my tenure here we’ve made significant strides in combating computer viruses, especially when they target government or military computers.”

Daryl sighed to herself.
Not that again,
she thought. “I can’t be certain, but it looks like more than one virus. It’s odd, striking like this in so many seemingly unrelated places, and being so deadly.” She wrinkled her brow. “The viruses were also in systems that should have excluded them. We need to understand quickly why they didn’t. We have no idea how many of them are out there, or how they spread. If they’re commonly on the Internet—and this assumes we’re dealing with more than one and not a single virus with different manifestations—they’re going to cause a lot of trouble, not just in home and business computers but in government and military ones as well.”

“Well, that’s good,” Carlton said.

“Excuse me?”

“I mean that they are going after computers in which my department has a direct concern,” he said hastily. “Not that the viruses are good as such.”

Daryl bit her tongue. She needed this fool’s help.

“I’m saying that’s the kind of thing we are so effective at interdicting,” Carlton added, dragging his eyes away from her chest. He’d first met Daryl when she’d worked at the National Security Agency in 2000. She’d been assigned to liaison with his Cyberterrorism–Computer Forensics Department at the CIA. She’d been unexpectedly forthcoming, even providing some source data they’d lacked, which proved quite accurate. But the best part of the arrangement had been her drop-dead looks. He’d suggested drinks more than once, but got nowhere. Neither had anyone else in the department.

He’d been more than pleased when he learned that she’d left NSA and was now assistant deputy executive director CISU (Computer Infrastructure Security Unit)/DHS and head of a team at US-CERT (Computer Emergency Readiness Team), which technically reported to him at DHS, where he was now chief of counter cyberterrorism. US-CERT was expected to operate independently, alerting him only when they came upon an issue of national security. This was the first time she’d ever asked to work in the field. He doubted he even had the authority to refuse, but he was damned if he was going to acknowledge any limits to his power.

“Aren’t the hospitals cooperating?” he asked, squaring his shoulders to look more forceful.

“Sure,” Daryl confirmed. “But I don’t know what they’re holding back, thinking it’s not important. The virus or viruses will have left tracks. I can’t trust others to find them. That’s not what they do. They just want to get their systems functioning. We need to educate ourselves quickly. The protections at one of these infected hospitals were much better than those of, say, nuclear power plants.” She met his eye to see if she was making her point. “We need to know, George. We can’t sit on this.”

Other books

Serenading Stanley by John Inman
Quarterback Sneak by Shara Azod
Friendly Temptation by Radley, Elaine
Breaking Point by Suzanne Brockmann
French Passion by Briskin, Jacqueline;
Blood Dance by Lansdale, Joe R.
The Girl Who Lived Twice by David Lagercrantz