Uncategorized »

My Malware-Related Resources

March 7, 2011 | post a comment | Mark Russinovich

My Malware-Related Resources

Given that Zero Day is a book about the threats posed by malware, I thought I’d post pointers to my other malware-related publications and presentations. Some show how to clean malware using the utilities I’ve written and others discuss operating system features designed to prevent malware infections or limit malware’s effect when an infection occurs.

One increasingly common tactic employed by the malware community is to promote “scareware”. Scareware software is malware disguised as antimalware that web sites trick you into installing by announcing that your computer has been – ironically – infested with malware. Many of these fake antimalware products create a doorway through which other malware authors can push their wares after purchasing access from the scareware creator. Scareware entered the scene in 2004-2005 and this blog post from early 2006 dissects a scareware product I ran across, showing how it installs itself and downloads additional malware. It even includes a video that uses my Sysinternals tools to show what’s going on under the hood as the infection occurs:


Many of the Sysinternals utilities are heavily used by professional malware analysts. They often use the more advanced features of the tools, but even their basic functionality make it possible for users with some computer proficiency to solve their own malware incidents – or those of their family and friends. Some malware has grown so sophisticated that only a professional can successfully analyze and clean it (or even detect its presence), but my Advanced Malware Cleaning presentation from the Microsoft TechEd conference in 2006 is still relevant today for most commonly encountered malware:


Here's my own analysis of an email-delivered malware I received, intended to enlist the computer of whoever launches it into a botnet (to be safe, I launched it in a controlled configuration in a virtual machine with no access to my local network):


This recent blog post on my technical blog shows how a Microsoft support engineer used some of the more sophisticated Sysinternals features to analyze and clean a new strain of malware, MarioForever, off the computers of a large hospital network:


That malware had gotten past the antimalware used by the hospital. Unfortunately, malware is evolving so quickly and at such large scale that antimalware only addresses a fraction of the malware in circulation and is instantly out of date when updated with new antivirus signatures. And antimalware, just like any commercial software, can have vulnerabilities that enable malware to gain access to a system or to gain administrative rights if it infects a system with limited rights. This blog post from 2007, The Case of the Insecure Security Software, demonstrates the use of Sysinternals tools to identify certain kinds of antimalware vulnerabilities and exposes some flaws that existed at the time in the antimalware product of a top security vendor:


Operating systems and most common commercial software has become more secure over time, largely because of cutting edge defense-in-depth measures added by the tools developers use to create software and also added to newer versions of operating systems. Here’s a Channel 9 interview (Channel 9 is a Microsoft web site that interviews Microsoft developers) where I talk about operating system security:


In this video interview, Mark Minasi and I discuss some of the security enhancements introduced in Windows 7:


I define the concept of “security boundaries”, which are operating system features designed with strong security guarantees, in this TechEd 2009 presentation. To highlight the difference between defense-in-depth features, which have no guarantees but can foil certain types of malware attacks, and security boundaries, I describe the design and implementation of a number of Windows features often considered security boundaries:


One of the features I covered in that presentation is User Account Control (UAC), a feature added in Windows Vista that drew ire because users initially ran into many of UAC’s “allow/deny” dialogs before software adapted to the more secure configuration UAC was designed to promote. This presentation, User Account Control Internals and Impact on Malware, goes deep inside UAC’s implementation to reveal how it works and why those dialogs are ultimately useful for everyone:


Finally, my most famous blog post, Sony, Rootkits and Digital Rights Management Gone Too Far, was one I can’t leave out. It chronicles how I discovered a rootkit Sony was distributing on some of the audio CDs it sold in 2005, and the post eventually lead to Sony’s recall of millions of CDs and a settlement with the FTC:





« Enter the Zero Day Book Giveaway Drawing

Amazon Recommends I Buy Zero Day »

Leave a Reply

Your email address will not be published. Required fields are marked *


About Mark

Mark Russinovich works at Microsoft in the Microsoft Azure product team as Chief Technology Officer. Read more...

Contact Mark to
Schedule an Appearance

Upcoming Events

There are no upcoming events at this time.

Recent Press & News

Zero Day has been inducted into the Cybersecurity Canon
Zero Day is now part of the collection of books recognized as ones everyone interested in cybersecurity should read: The Cybersecurity Canon

Wall Street Journal on Rogue Code:
Now There’s a Novel About High-Frequency Trading

Publisher's Weekly on Rogue Code:
“In Russinovich’s well-crafted third Jeff Aiken novel (after 2012′s Trojan Horse), the cyber security specialist must contend with insider trading, long cons, and multimillion-dollar thefts”