Read Operation Desolation Online
Authors: Mark Russinovich
WASHINGTON, D.C.
GEORGETOWN
K STREET NW
3:21 P.M. EST
Jeff Aiken stared at the computer screen as he eased back in his chair. Outside, a gray rain fell as it had all day, the streets dark and slick. He'd returned from Atlanta the night before, preferring the comfort of his home to another night in a sterile hotel, and had worked remotely, running the final tests of his fix.
His financial sector client was a household name in the southern states. Malware had been detected by its in-house IT staff during a routine scan of the outbound network traffic from the servers. It had identified bursts of data directed at IP addresses somewhere in Russia. They had been unable to determine the origin of the traffic so Jeff had been summoned.
He'd spent three days in Atlanta. There he'd made a virtual copy of the server using a tool that took a “live” system and produced an image of it. With his forensic tools he located a rootkit-based virus. Rootkit was an increasingly common and very troublesome technique for cloaking viruses from standard detection. They were increasingly popular with malware writers. It had been their prevalence in the attack code two years before that had made the Al-Qaeda viruses so difficult to identify.
During his forensic investigation Jeff determined that the virus propagated from system to system employing a vulnerability, ironically in one of the major security suites, another household name, this one worldwide. He established that it was installed in all his client's systems. The IT department had discovered the hole and patched it pretty quickly but, as was the case for most corporate IT staffs, they'd held off installing the patch to make certain it wouldn't cause problems on their servers. The uninterrupted performance of the Web site and database was nearly always considered to be most critical. It was during that delay they'd been infected.
The good news was that the virus was a generic botnet host, not one of the newer far more sophisticated versions designed to target the company specifically. It was the kind of broad digital aggressor every company encountered from time to time. They'd dodged a bullet because if a virus specifically targeted at them had penetrated their system, it would have caused financial havoc on the company's customer accounts.
Once he grasped the nature and extent of the infection Jeff had recommended that they utilize the best-case solution, which was to “repave” their system. This meant reinstalling the operating system and server applications, then restoring all the data from the uninfected backups. The CEO had balked at the downtime this would entail, calculating it would be both disruptive and expensive. Instead, Jeff had been told to cleanse the system.
Though faster and cheaper, this was the least certain approach. The enormous size and complexity of the system meant there were countless digital holes in which malware might lurk. Jeff could never be certain he'd cleaned everything. But he understood the practicalities of a functioning business; this was not a laboratory situation. And he understood that taking the system down to rebuild it would have created significant issues of trust and reliability with the company's clients.
No antivirus signatures had been established for the virus as yet. This was how the usual antivirus programs uncovered malware. As a consequence, Jeff had to do it for himself by defining a series of steps to purge the virus from the system. This malware-cleaning solution then became a script that the company could run on their live server. It would seek out the tentacles of the virus and surgically server them, deleting its files after the malware had been immobilized.
He'd alerted his contacts in the antivirus security industry to the new virus and made his fix available once he'd developed it. His connections were extensive and he was widely respected in his field because of his work to advance the state of antivirus research and in creating effective countermeasures.
Jeff had run a test of his solution before leaving Atlanta and it checked out. He'd then left the system to the IT staff while he flew home. He'd just spent the day remotely running additional tests, really for his own peace of mind. It all looked good, but as he'd tried to explain, this approach always left bits and pieces of the virus behind like so much clutter scattered across a factory floor or piled in corners. Generally that was no problem, but do it often enough and you slowly contaminated the operating system in subtle ways that adversely effected its efficiency and security. Well, they'd been warned.
In the quiet of his house he heard a car drive by, its tires splashing as it passed through standing water. Finished, Jeff disconnected from the Atlanta system, then opened his accounting spreadsheet to calculate the bill.
Daryl was awayâagain. Since the events of two years before when they'd nearly been killed obtaining the codes needed to partially counter the force of a cyber-attack on the West by Al Qaeda, they'd been a committed couple. She'd resigned as director of US-CERT Security Operations located at Arlington, Virginia, and joined him in his private IT security company, Red Zoya Systems LP. The name was a takeoff on the zero day applications that had made the Al Qaeda attack so frightening.
Though neither of their names had surfaced in the media after blunting the Al Qaeda attack, within certain circles they were superstars. Word of their exploits, both accurate and wildly exaggerated, had spread throughout the cyber-security industry. The result was more work than they could comfortably manage.
Their fees continued to pile up in the bank as neither of them had the time to spend their income. They worked out of their Georgetown Redstone town house, though; on any given day one or both of them were out of the city or country on a project. They stayed in touch remotely, but the work tended to be all-consuming. Partly it was their nature, but it was primarily the demands that came with the job. By the time they were summoned the situation was always critical.
One snowy Sunday Jeff had contemplated just how many days they'd spent apart. He'd pulled out his calendar and made a dismal discovery that only confirmed what he suspected. In the last eighteen months, since they'd been set up here and been fully available for work, he and Daryl had spent a grand total of twenty-three days together. And on most of those days one or both of them had worked. He did not include one frenzied three-month period when they had largely worked from the office together on a special project as there'd been little interaction between them except as related to the job at hand.
He'd pointed this out to Daryl while she'd hurriedly packed for her next trip and she'd assured him they'd do something about it, that she
wanted
to do something about itâjust as soon as she got back. That had been three weeks ago.
Jeff finished the tabulation, saved the file, then locked the screen with a sigh. This was no way to run a relationship. He sometimes wondered why he even bothered. Given the reality of their situation, he could only see one outcome.
Just then his telephone rang. He glanced at the number as he answered. London calling.
Zero Day
MARK RUSSINOVICH works at Microsoft as a Technical Fellow, Microsoft's senior-most technical position. He joined the company when Microsoft acquired Winternals Software, which he co-founded in 1996. He is the author of the first Jeff Aiken novel,
Zero Day,
and also of the popular Sysinternals tools. The non-fiction books he's coauthored include the Sysinternals Adminitrator's Reference (Microsoft Press) and the Windows Internals book series (Microsoft Press). He's a contributing editor for
TechNet Magazine
, and a senior contributing editor for
Windows IT Pro Magazine
. Mark lives in Washington State.
This is a work of fiction. All of the characters, organizations, and events portrayed in this novel are either products of the author's imagination or are used fictitiously.
THOMAS DUNNE BOOKS
.
An imprint of St. Martin's Press.
OPERATION DESOLATION
. Copyright © 2012 by Mark Russinovich. All rights reserved. For information, address St. Martin's Press, 175 Fifth Avenue, New York, N.Y. 10010.
Cover design by Ervin Serrano
Cover photographs by shutterstock
www.thomasdunnebooks.com
www.stmartins.com
e-ISBN: 978-1-4668-2155-2