existed on computers with the operators never knowing any better. Before the operating system was destroyed, such a worm would be seeking to replicate and spread itself, though slowly, so as to escape detection. But in this case some part of it had nuked the system, in effect committing suicide.
Now Jeff scanned the corrupted registry file settings. Malware commonly created entries so that the operating system activated them each time the computer was turned on, or whenever a user logged in. He examined every entry that looked even remotely suspicious. When he located a reference to a program or piece of code he didn’t recognize, he found the code’s file and examined it further, looking to see if the file provided the product it was associated with and the company that wrote it, since malware typically lacked such information.
Then he performed Web searches to find information about the file’s purpose, to see if anybody had previously flagged it as malware. Tedious and time-consuming, this formed the heart of what he did each day at work when on jobs like this. That initial flash of excitement he’d experienced waned as exhaustion began to overtake him again. Working while exhausted was typical, though. In these situations, time counted for everything. Yet so far, nothing.
Two hours later, Jeff finally got a break when he came upon a reference to a device driver that appeared suspicious. Device drivers were programs that allowed other programs to interact with a bit of hardware, such as a printer, and were attractive to malware authors because they could be leveraged to create spyware, viruses, and adware that hid from standard security protections. Most home PCs had some form of these types of malware without the owner even knowing it.
All device drivers had information that included the path to the file on the disk that contained the driver’s code, so Jeff was able to locate the driver image in question without any trouble. One, ipsecnat.sys, had a name that looked similar to that of a legitimate and standard driver, but he didn’t recognize it. When he examined it, the file’s version information reported itself as being from Microsoft, but a Web search turned up no hits on a driver by that name. Score one for my team, he thought.
Reinvigorated, Jeff loaded the driver into a code analyzer that allowed him to see a human-readable version of the instructions that the computer executed. Analyzing malware at this level was a big part of his job, so he could run through the instructions in his head the same way the computer would. This way he was able to understand its overall purpose.
He read:
.text:00000000007B35D8 xor [rcx + 30h], rdx
.text:00000000007B35DC xor [rcx + 38h], rdx
.text:00000000007B35E0 xor [rcx + 40h], rdx
.text:00000000007B35E4 xor [rcx + 48h], rdx
.text:00000000007B35E8 xor [rcx], edx
.text:00000000007B35EA mov rax, rdx
.text:00000000007B35ED mov rdx, rcx
.text:00000000007B35F0 mov ecx, [rdx + 4Ch]
.text:00000000007B35F3 loc_7B35F3:
.text:00000000007B35F3 xor [rdx + rcx*8 + 48h], rax
.text:00000000007B35F8 ror rax, cl
.text:00000000007B35FB loop loc_7B35F3
.text:00000000007B35FD mov eax, [rdx + 190h]
.text:00000000007B3603 add rax, rdx
.text:00000000007B3606 jmp rax
When he finished, Jeff was thoroughly alert. The code was obviously encrypted. Viruses often encrypted themselves to make it time-consuming, or even impossible, for virus scanners to unravel the core code. The malware decrypted itself into memory when launched, which could take up to several seconds because of the levels and complexity of the encryption scheme employed. That was why a slowly booting computer was often a sign of infection.
The next three hours flew by as Jeff tried to match the encryption algorithm used by the hacker against those commonly employed by malware authors. Finally, he decided that he was looking at something new. This part of his work was like a puzzle to him, one in which he pitted his