This episode of Herding Code the guys talk to Mark Russinovich about his new book (Zero Day), modern malware like Stuxnet, his experiences discovering the Sony rootkit, Sysinternals tools, and computer security in general.
- K Scott asks Mark about how he decided to write Zero Day. Mark talks about how early, unsophisticated viruses still caused a lot of damage, and it got him thinking about what a virus attack motivated by a terrorist agenda could achieve.
- K Scott talks about the shift to financial motivation in malware, and Mark mentions the book Zero Day Threat which discusses financially motivated malware.
- Kevin asks Mark about his motivation for writing fiction in general, and how big a shift it was from technical writing.
- K Scott talks about how he read the book while travelling, and how it did a pretty good job of terrifying him.
- Mark mentions how the Stuxnet virus validated some of the scenarios he’d been using in the book, how sophisticated Stuxnet is, and how that level of sophistication in malware authoring is available for hire, cheaply.
- Scott K asks about the threat that malware like Stuxnet could come back on the entity that released it, and Mark mentions that collateral damage is definitely a factor, but that the Stuxnet authors were apparently unconcerned by it.
- We take a question from listener @mattd78: "what does mark think of Linux and has he ever analyzed the source code to compare it to windows"
- Scott K asks how the malware targets have changed with the explosion of mobile devices.
- K Scott asks Mark about how he uses Sysinternals tools when studying malware.
- Jon asks about how live.sysinternals.com works to allow running the tools without an explicit download / install step.
- Jon asks Mark whether he does all his testing in virtual machines or uses physical test machines.
- K Scott asks Mark about Rootkit Revealer – how it got started, and how Mark discovered the Sony rootkit. Mark tells an interesting story about a cat and mouse game he was engaged with against a rootkit writer who went by the name of Holy Father, who kept coming up with ways to hide from Rootkit Revealer.
- Mark talks about the interview he did on NPR about the Sony rootkit fiasco.
- Kevin thanks Mark, on the behalf of Windows developers everywhere, for the Sysinternals tools. When Kevin tells Mark that they’ve saved his butt over and over, Mark says he’s heard that feedback so many times that they used "save your butt" on advertising over the years.
- Kevin asks Mark if working at Microsoft has made things easier. Mark says not so much – it’s often quicker for him to disassemble and use dynamic analysis than to look at the source code.
- Jon asks if Mark has any security feedback for .NET developers. Mark says that if you’re purely in managed code, you need to focus on logic problems like SQL injection.
- K Scott asks if Mark has anything he’d like to promote, and Mark talks about the upcoming book Windows Sysinternals Administrator’s Reference.
- Jon asks Mark what’s the point of running antivirus software if it’s not going to be 100% effective.
- Kevin asks Mark if he’s working on a sequel to Zero Day. He is!
Show Links:
- Mark Russinovich (blog, @markrussinovich, wikipedia)
- Zero Day
- Sysinternals
- Zero Day Threat (book)
- The Andromeda Strain (book)
- Stuxnet
- Mark’s series on Stuxnet
- Half-Life 2 source code leak
- Cyber War: The Next Threat to National Security and What to Do About It (book)
- Rootkit battle: Rootkit Revealer vs. Hacker Defender
- Windows Sysinternals Administrator’s Reference (book)
- The Antispyware Conspiracy
Download / Listen:
Herding Code 113: Mark Russinovich on Zero Day and Computer Security
[audio://herdingcode.com/wp-content/uploads/HerdingCode-0113-Mark-Russinovich-on-Zero-Day-and-Computer-Security.mp3]