Trojan Horse

Mark Russinovich
works at Microsoft as a Technical Fellow, Microsoft’s senior-most technical position. He joined the company when Microsoft acquired Winternals software, which he co-founded in 1996. He is also author of the popular Sysinternals tools. He is co-author of the Windows Internals book series, a contributing editor for
TechNet Magazine
, and a senior contributing editor for
Windows IT Pro Magazine
. He lives in Washington State.
Zero Day
is also published by Corsair.

A
LSO BY MARK
R
USSINOVICH

Trojan Horse

Constable & Robinson Ltd
55–56 Russell Square
London WC1B 4HP
www.constablerobinson.com

First published in the US by Thomas Dunne Books, 2012

First published in the UK by Corsair,
an imprint of Constable & Robinson Ltd, 2012

Copyright © Mark Russinovich, 2012

The right of Mark Russinovich to be identified as the author of this work has been asserted by him in accordance with the Copyright, Designs and Patents Act 1988

All rights reserved. This book is sold subject to the condition that it shall not, by way of trade or otherwise, be lent, resold, hired out or otherwise circulated in any form of binding or cover other than that in which it is published and without a similar condition including this condition being imposed on the subsequent purchaser.

This is a work of fiction. Names, characters, places and incidents are either the product of the author’s imagination or are used fictitiously, and any resemblance to actual persons, living or dead, or to actual events or locales is entirely coincidental.

A copy of the British Library Cataloguing in Publication Data is available from the British Library

ISBN: 978-1-47210-195-2 (ebook)

I
’d like to thank John Lambert, David Cross, Frank Simorjay, and Scott Field—colleagues of mine at Microsoft—for reviewing drafts of
Trojan Horse
and providing valuable input based on their real-world experiences with cyber espionage. Ron Watkins provided me great input on the plot and character development and made helpful reviews of numerous drafts.

I’m grateful to Kevin Mitnick for endorsing the book with his foreword and to Mikko Hypponen for his blurb. I’ve learned a lot from both of them and am honored to have their names associated with
Trojan Horse.

My thanks also go to my agent, Ann Collette, from the Helen Rees Literary Agency, who helped usher the book through the publication process. I owe thanks to Peter Joseph, my editor at Thomas Dunne Books, for believing in a sequel, for the insightful feedback he gave in his reviews, and making sure everything was covered for the successful publication and launch for
Trojan Horse.

Finally, I want to again thank my wife, the real-life Daryl, for her continued support of my indulgence as a fiction author.

I
t is Mark Russinovich’s in-depth knowledge of Windows and how data traverses over the digital landscape that creates the chilling realism in the backdrop of
Trojan Horse,
the highly anticipated follow-up to his first novel,
Zero Day.
I’ve long said that people are the weakest link in the security chain (and, in the past, frequently taken advantage of this myself). In his thrilling tale, Mark shows us that malware remains a significant threat as the sophistication of malicious programs continues to grow. The bad actors still use the age-old technique of social engineering—the method of manipulating people into performing an action in order to leverage the help of the victim to exploit a security flaw in the application software that resides on their computer. When used together, these two attack methods can lead to devastating outcomes as they leapfrog over even the most resilient network defenses. No one is immune to social engineering, and even the most technically competent can easily fall victim to this method.

In today’s world, it is rare that such an attack will merely affect one network. Once again, Mark makes us aware of how interconnected our systems are, and how their dependencies can be used to create havoc in our world. Geographic boundaries are no longer an obstacle for those wishing to cause harm. Our future wars may employ people on the battlefield as a last resort. The initial efforts will likely be fought digitally over the vast technology infrastructure that the Internet has created. It is now possible to have a virus weaponized in China, employed in Berlin on behalf of Afghanistan, and have the payload delivered in Sydney or the United States—masking origination, and making detection and accountability almost impossible.

Mark has created well-defined characters in Jeff Aiken and Daryl Haugen, whose challenges will absorb the reader. His attention to detail in both the technical and backdrop settings are realistic because they are closely related to real events exposed by the media. Even the nontechie will have no trouble understanding the well-explained technical details. The story line keeps the reader immersed, anticipating what will happen next, and the only difficulty comes in trying to put the book down.

Trojan Horse
is a work of fiction, but it makes you think about the possibilities in the future as the sophistication of our adversaries continues to grow in response to narrowing gaps in security posture. I am both honored and privileged to have the opportunity of an advance read of Mark’s latest work, and look forward to sequels in the future. However, after reading his book, even I am left wondering how prudent the decision was to open an e-mailed copy of the manuscript called “Trojan Horse.doc.”

—K
EVIN
M
ITNICK
,
SPEAKER, CONSULTANT, AND AUTHOR OF
THE
N
EW
Y
ORK
T
IMES
BESTSELLER
G
HOST IN THE
W
IRES

INTERNAL DISTRIBUTION ONLY
SECRET

This is a follow-up to our conversation earlier today in which I confirmed the discovery of extraneous software embedded within the U.S. Pacific Fleet Command computer structure. This malware has access to the database that manages fleet deployments. It is highly sophisticated, unlike any we have previously encountered. At this time we do not know how it penetrated COMPACFLT computer defenses, how long it has been embedded, or the extent of the infection. It constitutes the most serious penetration to date by malignant software embedded from an unknown source within a highly classified U.S. military command computer system.

We share your suspicions that this malware was responsible for the ten-hour blackout experienced by COMPACFLT during fleet maneuvers off Taiwan nineteen days ago. Be assured that we are working with your staff and will do all within our ability to locate and remove every vestige of this Trojan from your system and that we will learn how it managed to insinuate itself into such critical software.

I wish to repeat that we do not yet know the scope of the penetration or the capacity of the malware to disrupt, or direct, fleet operations. We urge great caution in the interim. Though we cannot know its origin with certainty, the level of sophistication and the nature of its disruption indicates a nation-state with national security interests toward the United States.

INTERNAL DISTRIBUTION ONLY
SECRET

By Arnie Willoughby

April 9

Sophisticated computer penetration is at record levels according to Cyril Lester, executive director of the Internet Security Alliance. In a speech delivered at the association’s annual meeting in Las Vegas, Nevada, Lester said, “Despite an increase in awareness by individuals and companies, malware, particularly in the form of Trojans, continues to find its way into computers at an alarming rate.”

Though hackers still release what Lester described as “junk malware,” advanced and highly sophisticated viruses are an ever-greater cause for concern. Most target financial records and a number have been highly successful in looting personal and bank accounts.

A new version of the Zeus Trojan, for one, recently penetrated bank security then silently stole more than one million dollars from an estimated three thousand accounts, according to Lester. “Authorities have been unable to trace the ultimate destination of the funds,” he said.

The Zeus Trojan infected Windows machines through various exploits in Internet Explorer and Adobe Reader. It then lay dormant until the user entered his bank account. Through a technique known as keystroke logging it captured log-on information later used to access the account. If it was determined to hold at least $1,250 dollars the money was stolen.

Though not proven, the cyber operation is believed to have been orchestrated by an East European cyber gang.

Until recently, the Zeus Trojan was considered the most sophisticated and dangerous virus of all time, Lester said. That dubious distinction has been supplanted by Stuxnet, the mysterious virus which has targeted Iran’s nuclear development program. Lester emphasized that even more dangerous malware is likely already implanted in computers worldwide. “We’ve scarcely viewed the scope of the risk we face,” Lester said.

The Internet Security Association is funded by the major computer and software manufacturers in the U.S. Lester has requested a four-fold increase in funding.

US Computer News, Inc.
All rights reserved.