Microsoft's Russinovich: How to stop a real 'Zero Day' disaster

The technical fellow has penned a scarily realistic malware disaster novel and shares with InfoWorld his tips for avoiding his characters' fates

I've just finished reading the book "Zero Day" by Mark Russinovich. This is the first fiction book that has computers and technology at the heart of it where I didn't angrily shout to the invisible author about the inaccuracy of the tech storyline. Even though the story is a work of fiction, the technical portion is spot-on -- and downright scary. But that makes sense considering Russinovich's background: He's a technical fellow at Microsoft, the senior-most technical position there, but is known globally for his contribution to the IT community through the Sysinternals tools many of us have used at one time or another.

The story involves the release of different types of viruses and rootkits that have the ability to do everything from crashing planes to overheating nuclear power plants to swiping company data and billing records, crushing entire companies. Sounds impossible? Perhaps you didn't read the headlines earlier this month that highlighted a computer virus in the cockpits of the U.S. drone fleet that logged every keystroke of these drones while they flew missions over war zones. Yes, the danger is very real, and combined with a great storyline (which I won't spoil -- read it for yourself), it had me on the edge of my seat.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

But now what? All I could think of after finishing it was, "What do we do to prevent these attacks from becoming a bigger catastrophe than they already are?" So I interviewed Russinovich himself for the answers.

InfoWorld: With so many new viruses and rootkits, is it even possible for OS developers like Microsoft and Apple, as well as antivirus firms, to combat the onslaught of new danger?

Mark Russinovich: No software is completely secure, but it's the industry's obligation to try to make our systems as secure as possible. That includes using software development processes like the SDL (Security Development Lifecycle), building in defense-in-depth features like ASLR (address space layout randomization) and DEP (data-execution protecton), and by creating sandboxes, like Microsoft Office's protected view [and Apple's iOS and Mac OS X Lion --Ed.], to isolate malware in case it penetrates a system. It's not something where at some point you can stand back and say you're done; it's on ongoing effort to stay ahead of the attackers.

InfoWorld: In describing how rootkits are often undetected by antivirus software, the book says (on page 215), "They implant themselves deep within the kernel of the operating system." What is Microsoft doing to combat this kind of problem? With Windows already being a modular OS, aren't there failsafes in place to keep what happens in the user-mode subsystems from reaching down into the kernel-mode subsystems to cause damage?

Russinovich: Microsoft is using all the technologies I mentioned. The most important line of defense is the entry point, so the focus is first and foremost on keeping malicious software off a system. Code signing, app stores with a vetting process, secure launch, and antivirus are all technologies aimed at that. Once malware is on and executing, you've been compromised, and at that point it's a matter of containing the damage and, ideally, cleaning the system. Kernel-mode rootkits are especially problematic because they can be extremely difficult to detect and because they are on a level playing field with the operating system, so there's no general way to clean them off. Each one must be addressed on a case-by-case basis.

1 2 Page 1