Microsoft’s Russinovich: How to stop a real ‘Zero Day’ disaster

I’ve just finished reading the book “Zero Day” by Mark Russinovich. This is the first fiction book that has computers and technology at the heart of it where I didn’t angrily shout to the invisible author about the inaccuracy of the tech storyline. Even though the story is a work of fiction, the technical portion is spot-on — and downright scary. But that makes sense considering Russinovich’s background: He’s a technical fellow at Microsoft, the senior-most technical position there, but is known globally for his contribution to the IT community through the Sysinternals tools many of us have used at one time or another.

The story involves the release of different types of viruses and rootkits that have the ability to do everything from crashing planes to overheating nuclear power plants to swiping company data and billing records, crushing entire companies. Sounds impossible? Perhaps you didn’t read the headlines earlier this month that highlighted a computer virus in the cockpits of the U.S. drone fleet that logged every keystroke of these drones while they flew missions over war zones. Yes, the danger is very real, and combined with a great storyline (which I won’t spoil — read it for yourself), it had me on the edge of my seat.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld’s expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | The Web browser is your portal to the world — as well as the conduit that lets in many security threats. InfoWorld’s expert contributors show you how to secure your Web browsers in this “Web Browser Security Deep Dive” PDF guide. ]

But now what? All I could think of after finishing it was, “What do we do to prevent these attacks from becoming a bigger catastrophe than they already are?” So I interviewed Russinovich himself for the answers.

InfoWorld: With so many new viruses and rootkits, is it even possible for OS developers like Microsoft and Apple, as well as antivirus firms, to combat the onslaught of new danger?

Mark Russinovich: No software is completely secure, but it’s the industry’s obligation to try to make our systems as secure as possible. That includes using software development processes like the SDL (Security Development Lifecycle), building in defense-in-depth features like ASLR (address space layout randomization) and DEP (data-execution protecton), and by creating sandboxes, like Microsoft Office’s protected view [and Apple’s iOS and Mac OS X Lion –Ed.], to isolate malware in case it penetrates a system. It’s not something where at some point you can stand back and say you’re done; it’s on ongoing effort to stay ahead of the attackers.

InfoWorld: In describing how rootkits are often undetected by antivirus software, the book says (on page 215), “They implant themselves deep within the kernel of the operating system.” What is Microsoft doing to combat this kind of problem? With Windows already being a modular OS, aren’t there failsafes in place to keep what happens in the user-mode subsystems from reaching down into the kernel-mode subsystems to cause damage?

Russinovich: Microsoft is using all the technologies I mentioned. The most important line of defense is the entry point, so the focus is first and foremost on keeping malicious software off a system. Code signing, app stores with a vetting process, secure launch, and antivirus are all technologies aimed at that. Once malware is on and executing, you’ve been compromised, and at that point it’s a matter of containing the damage and, ideally, cleaning the system. Kernel-mode rootkits are especially problematic because they can be extremely difficult to detect and because they are on a level playing field with the operating system, so there’s no general way to clean them off. Each one must be addressed on a case-by-case basis.

InfoWorld: In the book, one of the companies hit with the virus has an “excellent firewall” and does a daily update of everything, “seeing to patches and running system security scans.” In addition to those actions, what do you recommend companies and home users do to keep up with the rising threats?

Russinovich: Keeping antivirus and patches up to date is a priority. Using the latest versions of software, whether it’s the operating system or the browser, gets you the latest in antimalware defense, which is something many people don’t consider. And of course using complex and different passwords for different sites, or at least for different tiers of accounts according to their value, and strong passwords and encryption for wireless networks is important. For companies, applying the concept of “least privilege,” where users and administrators get access to only what they need to accomplish their job limits exposure.

InfoWorld: The average IT admin isn’t trained to perform the diagnostic work that the book’s main character does to locate the viruses and rootkits that took out the firm he is working with. Do you believe it is essential for IT admins to become more adept at looking into the internals of a system through tools like Sysinternals? As a side question, those tools are a bit complicated at times, so can you recommend something to assist in learning them?

Russinovich: Unfortunately, targeted attacks and highly polymorphic malware mean that antivirus software is more and more unlikely to identify malware. I’d say it’s more important that IT pros audit access and analyzing access logs for anomalous behavior to identify penetrations. Basic malware analysis capabilities, like those that I teach in my Sysinternals malware cleaning presentations, is of course helpful for cleaning junk malware and maybe even confirming that you’ve got an infestation, but if you suspect a breach of a sensitive area of your network, it pays to play it safe and hire some experts to take a look.

InfoWorld: Anything else coming down the pipe on the fiction side? A “Zero Day” movie, perhaps, or maybe another book?

Russinovich: As a matter of fact, yes. “Zero Day” has done really well, so the publisher, St. Martin’s Press, optioned the sequel. I’ve just completed a draft of “Trojan Horse,” which picks up with Jeff and Daryl, the main characters of “Zero Day,” a couple of years later and has them hot on the trail of state-sponsored espionage, something that’s been in the news a lot lately with all the cyber attacks and penetrations suspected to have been perpetrated by China.

This article, “Microsoft’s Russinovich: How to stop a real ‘Zero Day’ disaster,” was originally published at InfoWorld.com. Read more of J. Peter Bruzzese’s Enterprise Windows blog and follow the latest developments in Windows at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.