Herlicherâs new message. His telephone had rung three times since heâd replied to the report and heâd not picked up, letting it roll over to voice mail. The German had nothing to say he wanted to hear.
Walthrop sighed. It wasnât the end of the worldâat least, not yet.
5
WASHINGTON, D.C.
GEORGETOWN
K STREET NW
3:21 P.M. EST
Jeff Aiken stared at the computer screen as he eased back in his chair. Outside, a gray rain fell as it had all day, the streets dark and slick. Heâd returned from Atlanta the night before, preferring the comfort of his home to another night in a sterile hotel, and had worked remotely, running the final tests of his fix.
His financial sector client was a household name in the southern states. Malware had been detected by its in-house IT staff during a routine scan of the outbound network traffic from the servers. It had identified bursts of data directed at IP addresses somewhere in Russia. They had been unable to determine the origin of the traffic so Jeff had been summoned.
Heâd spent three days in Atlanta. There heâd made a virtual copy of the server using a tool that took a âliveâ system and produced an image of it. With his forensic tools he located a rootkit-based virus. Rootkit was an increasingly common and very troublesome technique for cloaking viruses from standard detection. They were increasingly popular with malware writers. It had been their prevalence in the attack code two years before that had made the Al-Qaeda viruses so difficult to identify.
During his forensic investigation Jeff determined that the virus propagated from system to system employing a vulnerability, ironically in one of the major security suites, another household name, this one worldwide. He established that it was installed in all his clientâs systems. The IT department had discovered the hole and patched it pretty quickly but, as was the case for most corporate IT staffs, theyâd held off installing the patch to make certain it wouldnât cause problems on their servers. The uninterrupted performance of the Web site and database was nearly always considered to be most critical. It was during that delay theyâd been infected.
The good news was that the virus was a generic botnet host, not one of the newer far more sophisticated versions designed to target the company specifically. It was the kind of broad digital aggressor every company encountered from time to time. Theyâd dodged a bullet because if a virus specifically targeted at them had penetrated their system, it would have caused financial havoc on the companyâs customer accounts.
Once he grasped the nature and extent of the infection Jeff had recommended that they utilize the best-case solution, which was to ârepaveâ their system. This meant reinstalling the operating system and server applications, then restoring all the data from the uninfected backups. The CEO had balked at the downtime this would entail, calculating it would be both disruptive and expensive. Instead, Jeff had been told to cleanse the system.
Though faster and cheaper, this was the least certain approach. The enormous size and complexity of the system meant there were countless digital holes in which malware might lurk. Jeff could never be certain heâd cleaned everything. But he understood the practicalities of a functioning business; this was not a laboratory situation. And he understood that taking the system down to rebuild it would have created significant issues of trust and reliability with the companyâs clients.
No antivirus signatures had been established for the virus as yet. This was how the usual antivirus programs uncovered malware. As a consequence, Jeff had to do it for himself by defining a series of steps to purge the virus from the system. This malware-cleaning solution then became a script that the company could run on their live server. It would seek out the