Given that Zero Day is a book about the threats posed by malware, I thought I’d post pointers to my other malware-related publications and presentations. Some show how to clean malware using the utilities I’ve written and others discuss operating system features designed to prevent malware infections or limit malware’s effect when an infection occurs.
One increasingly common tactic employed by the malware community is to promote “scareware”. Scareware software is malware disguised as antimalware that web sites trick you into installing by announcing that your computer has been – ironically – infested with malware. Many of these fake antimalware products create a doorway through which other malware authors can push their wares after purchasing access from the scareware creator. Scareware entered the scene in 2004-2005 and this blog post from early 2006 dissects a scareware product I ran across, showing how it installs itself and downloads additional malware. It even includes a video that uses my Sysinternals tools to show what’s going on under the hood as the infection occurs:
http://blogs.technet.com/b/markrussinovich/archive/2006/01/03/the-antispyware-conspiracy.aspx
Many of the Sysinternals utilities are heavily used by professional malware analysts. They often use the more advanced features of the tools, but even their basic functionality make it possible for users with some computer proficiency to solve their own malware incidents – or those of their family and friends. Some malware has grown so sophisticated that only a professional can successfully analyze and clean it (or even detect its presence), but my Advanced Malware Cleaning presentation from the Microsoft TechEd conference in 2006 is still relevant today for most commonly encountered malware:
http://technet.microsoft.com/en-us/sysinternals/gg618529
Here's my own analysis of an email-delivered malware I received, intended to enlist the computer of whoever launches it into a botnet (to be safe, I launched it in a controlled configuration in a virtual machine with no access to my local network):
http://blogs.technet.com/b/markrussinovich/archive/2007/04/09/741440.aspx
This recent blog post on my technical blog shows how a Microsoft support engineer used some of the more sophisticated Sysinternals features to analyze and clean a new strain of malware, MarioForever, off the computers of a large hospital network:
http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx
That malware had gotten past the antimalware used by the hospital. Unfortunately, malware is evolving so quickly and at such large scale that antimalware only addresses a fraction of the malware in circulation and is instantly out of date when updated with new antivirus signatures. And antimalware, just like any commercial software, can have vulnerabilities that enable malware to gain access to a system or to gain administrative rights if it infects a system with limited rights. This blog post from 2007, The Case of the Insecure Security Software, demonstrates the use of Sysinternals tools to identify certain kinds of antimalware vulnerabilities and exposes some flaws that existed at the time in the antimalware product of a top security vendor:
http://blogs.technet.com/b/markrussinovich/archive/2007/06/19/1256677.aspx
Operating systems and most common commercial software has become more secure over time, largely because of cutting edge defense-in-depth measures added by the tools developers use to create software and also added to newer versions of operating systems. Here’s a Channel 9 interview (Channel 9 is a Microsoft web site that interviews Microsoft developers) where I talk about operating system security:
In this video interview, Mark Minasi and I discuss some of the security enhancements introduced in Windows 7:
http://www.msteched.com/2009/NorthAmerica/TTK12
I define the concept of “security boundaries”, which are operating system features designed with strong security guarantees, in this TechEd 2009 presentation. To highlight the difference between defense-in-depth features, which have no guarantees but can foil certain types of malware attacks, and security boundaries, I describe the design and implementation of a number of Windows features often considered security boundaries:
http://www.msteched.com/2009/Europe/SIA301
One of the features I covered in that presentation is User Account Control (UAC), a feature added in Windows Vista that drew ire because users initially ran into many of UAC’s “allow/deny” dialogs before software adapted to the more secure configuration UAC was designed to promote. This presentation, User Account Control Internals and Impact on Malware, goes deep inside UAC’s implementation to reveal how it works and why those dialogs are ultimately useful for everyone:
http://www.microsoft.com/showcase/en/us/details/10c81bb6-972b-4856-9a39-2cc0eb1352ae
Finally, my most famous blog post, Sony, Rootkits and Digital Rights Management Gone Too Far, was one I can’t leave out. It chronicles how I discovered a rootkit Sony was distributing on some of the audio CDs it sold in 2005, and the post eventually lead to Sony’s recall of millions of CDs and a settlement with the FTC:
Follow Zero Day on Facebook to enter the March 15 giveaway of 10 signed copies and a signed Advance Reviewer's Copy!
I just did an interview about Zero Day with Norm Goldman of Bookpleasures.com, who a couple of weeks ago gave Zero Day a very positive review. Here's the link to the interview:
And here's the link to Norm's review:
(Continued from The Road to Zero Day: Agent to Publisher) I was hopeful that Zero Day might be published in 2009, but it wasn’t until March that the contract with Thomas Dunne Books was finalized and signed, and everyone tells me that it's at least a year from that time until publication. My editor told me that the book was going to be published in their spring 2010 catalog, which actually means publication in April or May. Next, my editor suggested some changes. I made another revision, this one taking a little longer than the previous. He also recommended I begin getting “blurbs” for the book cover. Fortunately, I had a meeting with Bill Gates shortly after and asked him if he’d consider providing one. We’d met regularly since I started at Microsoft and often discussed computer security. I had told him about the book at our first meeting, so he was already aware of it. To my great amazement, he agreed. My meetings with Bill always seemed a little surreal, and I wondered if I was correctly interpreting reality when I walked out of his office that afternoon. I immediately sent him the manuscript and a few weeks later he sent the blurb you see on this site’s front page.
My next blurb came from Howard Schmidt, now cyber security coordinator for President Obama, who I was introduced to by a friend at Microsoft. Howard had started the Trustworthy Computing initiative at Microsoft in 2000 when computer security became a major focus for Microsoft, before going to work for the Bush administration as the President's post-9/11 cyber security advisor. He was running a cyber security consulting company based out of London, but happened to live nearby, so we arranged to have lunch. Zero Day reflected some of his major concerns about cyber security and he agreed to read it. A couple of weeks later he not only agreed to supply a blurb, but to write the book's forward, which was an unexpected and exciting bonus. Even more unexpected and exciting was that a week after he sent them to me, I read the news that he had been appointed to the Obama administration. His credentials, already impressive, had just gotten even more so.
In December 2009, my editor suggested I fly to New York City to have lunch with him, Thomas Dunne, and Ann, who would come in from Boston. The opportunity to meet with Tom was something I couldn’t pass up and New York is great to visit around Christmas, so I made a family holiday trip out of it. I took a cab to the restaurant where we had a great conversation over a couple of hours. Despite being an important figure in the publishing world, Tom didn’t seem in a hurry and never glanced at his watch. He told me how much he liked the book and was even looking forward to a sequel. Then he asked what goals I had for the book. I travel relatively frequently, so when writing I defined my metric of major success as seeing Zero Day in an airport bookstore. He liked the answer and said he would make that a goal for the marketing department.
After lunch, we drove to the Flatiron building, a New York landmark, where St. Martin’s Press and Tom’s office are located. I got a quick tour and met some of the staff before departing. It was a fascinating peek into the world of New York City publishing and satisfying to have spent a leisurely lunch discussing novels and writing with a publishing luminary.
I thought things were on track for the spring publication, which they call a “launch”. However, around February my editor told me that Tom felt that a few changes would greatly improve the book and strongly suggested that I make them. Fortunately, I agreed the suggestions would help and made another revision as quickly as possible, but it was clear that it meant the book wouldn’t be ready for a spring launch. Tom liked the changes and the new launch date of Fall 2010 was set. I wasn’t too disappointed by what I thought was just a few months of delay, but then found out that Fall launches occur in February or March of the following year. It seemed that the book would never get published.
Then, in the summer, John told me he was leaving Thomas Dunne to head Mulholland Books, Little, Brown’s new suspense imprint. Having an editor leave in the middle of a book project can spell the end of the book. Fortunately, another editor, Peter Joseph, jumped in and took over and kept it moving through the process. I can’t say that even after my experience that I understand the publishing industry, but I’m glad that people believed enough in the book to help it through to publication.
Throughout the actual fall of 2010 we collected more blurbs. First, I got one from William Landay, author of an award-winning book, The Strangler, about mafia corruption in Boston in the 1960's during the time the Boston Strangler was active. I was really pleased to get one from an accomplished thriller novelist. Then my agent told me she'd gotten one from multiple New York Times bestseller Nelson DeMille. I was beyond thrilled. I felt that Zero Day was a decent book, but didn't really know how it would be received, especially by non-technical readers. Having these major novelists willing to associate their names with Zero Day was incredibly rewarding. I immediately sent him a thank you email and he replied that he'd really enjoyed the book. At that point I had both major technical and literary endorsements, which was more than I’d hoped for when I set out to write the book.
Also in the fall, I researched PR agencies to help me promote the book. After interviewing a few I settled on Phenix and Phenix. They specialize in books and have represented some of my favorite authors, including Ben Bova, who will be familiar to you if you’re a science fiction fan. I read a lot of his books growing up and his novella The Dueling Machine made an impression on me that lasts to this day.
That brings us to now, about six years since I set out and within one month of the book's publication. The ride has been much, much longer than I expected, but I’m glad I listened to Ann and stuck with it. The feedback I’ve gotten from pre-publication reviews has exceeded my expectations and I’m hopeful that you also find Zero Day to be an exciting cyber-thriller!
(Continued from The Road to Zero Day: Idea to Manuscript) The books on novel writing I purchased had listings of agents, organized by genre. I initially targeted twenty specializing in thrillers, sending them a cover letter, bio sheet, and the first 50 pages of the book. All novel writing guide books warn how difficult it is to get a first novel published, but like I mentioned in the last post, I thought that as a recognized expert in the field and with the reach I had with my blog and Sysinternals, I had a better than average chance of attracting interest. It turned out that I was wrong.
Over the next three months I received around a dozen responses. Half simply wrote that, although the book looked promising, they weren’t interested. The other half essentially said the same, but added that they would love to represent me if I wanted to publish a non-fiction book.
I was a little surprised at my lack of success, but undaunted, I sent the package to another twenty agents. Three months later I had a repeat of the first batch of responses. I decided I would self-publish instead, but then a friend said he knew someone at a publicity agency who was an “agent agent” – someone who has relationships with agents (what I call a double-agent). I paid him a flat fee and he promised that he’d either get me an agent within three months, or the book was just not good enough for mainstream publication.
The double-agent began contacting his connections and one after the other, got negative responses. This time, the agents read the entire manuscript, but instead of providing any helpful criticism, the feedback was always the same: the book is pretty good, but not a fit for what they were looking to represent. That's the polite way of saying that the book isn't viable or requires too much work to get into shape.
Finally, after a month and a half, Ann Collette of the Helen Rees Literary Agency said she thought the book had great potential and would represent it. After I signed her, she edited the manuscript and made several good suggestions for tightening the plot. I made revisions and then the next phase began, finding an editor at a major commercial publisher that liked it. She sent the book to an initial list of ten and over the first several weeks we got back the same kinds of answers I had received in my hunt. Then we got a positive response from an editor at one of the largest publishers. He said that he liked the book a lot and would pitch it to the sales and marketing teams. My hopes were up. A few days later, though, he reported that he couldn't get their backing. So close. He did send some great feedback that I incorporated in the book.
Ann sent a second wave of submissions to another ten editors. Again, the answers that started coming back were the same as before. Now I was getting discouraged. It was already two years since I'd finished the first draft and I'd gotten dozens of rejections. I thought it was time to take the hint and told Ann I was ready to give up and self-publish. I even had started researching self-publishing options. Ann told me my experience was common and she was convinced that the book was good enough to get published by a major publisher and to wait until a little longer. I relented.
Then in the fall of 2008, John Schoenfelder at Thomas Dunne Books expressed interest. I did some research on Thomas Dunne Books and learned that it was a division of St. Martin’s Press, one of the big publishers. We sent the full manuscript in January 2009 and a few weeks later got back word that Thomas Dunne had personally read the book and liked it. I was ecstatic. The hunt was over and I was going to have a published novel. Coincidentally, I was reading Dan Brown’s first novel, Digital Fortress, about the same time, and read in the acknowledgements Dan thanking Thomas Dunne for being his editor. I was in good company.
Stay tuned for my next post, The Road to Zero Day: Publisher to Publication.
My idea for writing Zero Day originates back in the early 2000’s. It was then that a string of new, explosive virus outbreaks brought malware to the public’s attention. The first automatically spreading virus, called a worm, was Happy99. It spammed an infected user’s contacts and when received simply wished the recipient a happy New Year in 1999 with a small fireworks display:
Several similar worms followed, including Melissa, ILOVEYOU, and the Anna Kournikova Virus.
Up to this point the viruses were simply a nuisance and only affected systems and networks as a side-effect. Code Red, which hit in mid-2001, was first in a quick succession of new fast-spreading worms that moved between computers by exploiting vulnerabilities in network applications and that caused significant disruption and financial damage. Code Red infected over 250,000 systems in 9 hours and Nimda (Admin spelled backward) spread so fast that it slowed the Internet and penetrated millions of systems within half an hour of its release.
2002 was relatively quiet, but 2003 was an active year for major attacks. It brought Slapper, Blaster, Sobig and Sober, each one crashing systems, shutting them down, or flooding networks and inboxes. SQL Slammer doubled in size every 8.5 seconds, infected 90% of vulnerable hosts within 10 minutes, and indirectly caused the shut down of 13,000 Bank of America ATMs.
2004 brought more of the same and in 2005 virus writers started leveraging rootkit techniques, which bury a virus deep in a system and cloak their presence from standard diagnostic and administration utilities. I even ran into a rootkit, one I discovered on a Sony music CD-ROM, that shot me into the mainstream press for my “15-seconds of fame”, including a brief appearance on the Today Show.
In all the cases where the perpetrator was identified, it turned out to be a lone hacker, sometimes a high school student. Imagine if a group of sophisticated hackers collaborated to develop a family of viruses that used new exploits to spread slowly, casting a wide net and running beneath the radar of the antimalware companies. And then imagine those viruses deleting the data on the systems they infected. It didn’t take much imagination to realize that malware would be an ideal weapon: low cost, nearly impossible to trace, and incredible destructive potential. It seemed the cybersecurity community was focused entirely on cybercrime with no focus on cyber war, or the even bigger threat created by the difficulty of retaliation, cyber-terrorism. I felt the need to raise awareness and thought there was no better way than to entertain in the process.
In early 2005, I sketched the characters and plot for Zero Day and began writing. I finished the first draft in mid-2006, about the time I joined Microsoft, and based on the feedback of friends and family was confident that it was as good as or better than many in the thriller genre I had read. The several books on novel writing I bought indicated that the next step was to find an agent. With my established technical credentials as a coauthor of the non-fiction Windows Internals book, the audience reach I had via my technical blog and the Sysinternals web site, and the notoriety the Sony rootkit story had brought me, I was sure I would have no trouble finding an agent eager to represent Zero Day.
Stay tuned for my next post, The Road to Zero Day: Agent to Publisher.
"If you aren't a computer geek, some of the lingo and explanations are going to pass right by you; but there's enough information and ever-developing, terrifying plot developments to keep you riveted to every page."
http://crystalbookreviews.blogspot.com/2011/01/zero-day-novel-by-mark-russinovich.html
"The entertaining story line is linear yet exhilarating and frightening especially since author Mark Russinovich is an expert on the topic as his résumé brings a scary possibility to the cyber attack that the thriller focuses on."
http://genregoroundreviews.blogspot.com/2011/01/zero-day-mark-russinovich.html
"The novel is more plot than characters, but it is a very frightening, fast moving narrative that reveals how interconnected we all are through the internet."
http://bookgarden.blogspot.com/2011/01/zero-day-by-mark-russinovich.html
If you like books by Michael Crichton and Tom Clancy, I think you'll enjoy Zero Day. In my existing technical blog I post articles primarily related to Windows, and in this one I'll be posting links to reviews, cyber-security news and other book-related updates. You can also follow me on Twitter or friend-me on Facebook.
I encourage you to pre-order a copy today and tell your friends about the book and this site!
Mark Russinovich works at Microsoft in the Microsoft Azure product team as Chief Technology Officer. Read more...
