Guns, babes, and rootkits: A Windows guru writes a thriller

Microsoft's Mark Russinovich released his first novel, a thriller based on a zero-day attack. Mark Underwood reviews the novel and the security tech featured in it.

He heard the whisper of clothing across nylon, the slight sound of her skirt dropping to the carpet. He sensed, more than saw, her form stretch on the couch. He unbuckled his trousers and let them drop around his ankles.

That less-than-geeky start is ripped from page one of Zero Day, a new novel. Skip ahead a few sentences, and you'll see, "NO OPERATING SYSTEM FOUND."

Guns, babes, rootkits, blade servers, damsels in distress, and assassins. Mark Russinovich is best known to readers as a founder of Winternals Software and the website With cofounder Bryce Cogswell (who retired from Microsoft in October 2010), Russinovich developed a reputation for a set of very useful utilities to diagnose Windows systems. In 2006 the company was acquired by Microsoft, and Russinovich now goes by the title of Technical Fellow in Microsoft's Windows Azure Division. (Worth checking out: a live version of Sysinternals files directly accessible.

Malware has been in the peripheral version of Russinovich for some time. The principals at Winternals were behind the discovery of an ill-advised rootkit in the Sony BMG CD copy protection scheme in 2005 (see p. 100 of Zero Day). The fiasco led to Sony BMG's recall of the affected CDs and various lawsuits. What's the connection here?

Sysinternals utilities include Process Monitor, Process Explorer, VMMap and Autoruns. In a recent blog post, Russinovich shows how he used these utilities to analyze the infection steps followed by the complex Stuxnet malware he received via email from "a programmer." (Stuxnet had me worried, too; I wrote about it two weeks later in this column.) For instance, Sysinternals Autoruns can be used to show only code signed by non-Microsoft publishers (such as the forged Realtek and JMicron signatures), and Process Monitor will chronicle registry, file system and DLL activity. VMMap looks at memory usage, and this tool was able to identify that the infected Lsass.exe loaded module has write and execute permissions in its address space, whereas the legitimate Lsass.exe does not.

Sysinternals utilities have been paid a high compliment indeed. Some malware explicitly seeks to disable them to avoid detection.

This discussion provides a cursory insight into the level of detail required to perform malware analysis. How much of that made it into Zero Day? Some. Lay readers must get through references to domain controllers (p. 24), corrupted registry entries (p. 26), device driver image analysis (p. 27), VM's (p. 28), cut-and-pasted code (p. 46), debugging code (p. 57), honeypots (p.72), polymorphism (p. 74), kernel debuggers (p. 99) and the mental puzzle of malware that has self-destructive bugs in it which prevent it from completing its own mission. The narrative seeks to explain rootkits, and readers will have to stick with the story line a hundred pages to get to the rootkit's discovery.

So how much of a burden is this technical background, to which is added a bit of Internet history and scattered dossiers on DHS, US-CERT, NSA, FBI and CIA attempts to improve computer security - before and after 9/11? Readers will have to decide for themselves, but certainly bits of cybersecurity factoids, such as recitations of the Morris, Sober and Conficker attacks, and a hacker's attempt to auction an Excel exploit on eBay (p. 150), may be needed to overcome the complacency that many lay readers may harbor. Russinovich assumes, and he may be correct, that most readers believe that if their antivirus software is current, they are protected. This false assumption is central to the book, and resulted in the novel's chosen title.

As the TechNet post announcing the novel suggested, Michael Crichton may have been the inspirational design pattern for Zero Day. In an AuthorsCast interview Russinovich said that he remembered reading Andromeda Strain in seventh grade. Crichton, whose Harvard M.D. education informed his science-infused fiction writing, faced similar challenges in communicating enough science fact to carry fictional storylines in much of his fiction - with varying degrees of success.

For moderately dedicated readers, Russinovich has succeeded in following the design patterns of his would-be mentor. Those readers will find Zero Day a thrilling page-turner.

Nits and bugs

On the other hand, complaints about the novel's formulaic depictions of jihadists (". . . the Arab assassin. . . "), Brazilian brothels, French workers, Chechens, and its Da Vinci Code narrative style are apt. Add to these uneasy perceptions a sense that the novelist's depictions of women are somewhat colored by too much Jolt Cola (to invoke another stereotype) or perhaps their buxom counterparts in Mega Destructor IV (p. 24).

Regarding computer security aspects of the novel, while Stuxnet vindicated the several embedded software and infrastructure attacks presented, these attacks are presented with less convincing detail. Also, the workings of the various U.S. federal agencies shift between accurate (understaffed, confused, siloed) and belief-stretching (bureaucratic inaction in the face of obviously lethal attacks).

Russinovich wisely includes an insider threat dimension in Zero Day, but the threat is not given the major role that it would be likely to play if a major attack is mounted against U.S. computer networks.

A final complaint is more serious. Russinovich's patient explanations of network security issues also omit a well-deserved indictment of software assurance, as well as the culture of tolerance that sometimes permits buggy, weakly tested, or poorly designed software to be distributed in the first place.

TechnoFiction and its readers

The first draft of Zero Day was completed in 2006. Russinovich said that the consensus was that this version was too technical, but he felt there was "a line" beyond which he had to maintain a Tom Clancy-esque level of detail to achieve the result he desired. Although some reviewers have complained that the technical burden in the published version is still too great, it's worth comparing the demands of Zero Day to those presented by the much-heralded late David Foster Wallace in his short story "Backbone" (New Yorker, March 7, 2011). On the first page, readers are confronted with dizzying anatomical detail: "lateral malleolus," "dextrorotated pressure," "resultant dyspnea," "postural echo and incrementalism in flexion," and "subluxated T3 vertebra." Wallace is a complex writer whose work intentionally operates on multiple levels; Zero Day may not aspire to that, but it's clear that serious readers of either work must suck it up and learn enough to follow the story line.

Fears that U.S. publishers and policymakers have been overrun by technocrats may be premature. Russinovich said he had a difficult time attracting both an interested agent and then an interested publisher for this book, even with his extensive publications, blog audience, and standing with Microsoft.

And there is the puzzle of male reader demographics. While there are many possible reasons for declining readership for fiction among men, and interest in fiction seems to decline with age for both sexes, it may be that a form which unites both non-fiction and fiction has yet to catch on with the larger public. (Add to this the IT gender gap.) In other words, the literacy problem is partly conventional literary sophistication, but also a problem of science and technology literacy.

Buy it for your boss

Zero Day may lack the enduring cultural significance of Gibson's Neuromancer, but it strikes a good balance between technical believability and plot pace. If your boss won't read it, hope for a film version. Russinovich has already been asked which actors he would like to see on the big screen. I'm envisioning those actors hunched over Syinternals multiple images displayed with the UX flourishes of Minority Report. Russinovich told AuthorCast that his new fiction project involves nation-state cyber espionage, but I wouldn't wait for v2.0.