(Update : the mouse that roared? SONY responds to Mark's findings with a fix, but is it good enough? See comments to the linked article for end user responses...)
Mark Russinovich is one of those truly scary genius guys in our industry. He is the man behind SysInternals which understands all of those bits and bytes that make computers work. Imagine how many levels above that we are working with our nice little drag and drop IDE's to write software.
Yesterday Mark wrote a post that was appropriate for Halloween in that it has scared the pants off of many people who legally download purchased CDs from the web. It is also getting a lot of airplay on the blogosphere. Mark was testing one of their new tools, RootKitRevealer, which exposes malware that is designed to mask it's presence (something I had never even heard of). In doing so, he discovered that there was actually a rootkit on his own computer.
Though the outcome of his investigation into the source of this rootkit unearthed the fact that the downloaded cd did things to his operating system that it should not be allowed to do, what was more fascinating to me was watching this forensic process. One of the big clues for Mark was that a kernel dump contained a few instances of “f9d676de”. Truly. In all of the gobbledygook that is binary data, this stood out like a red flag to him. (As Bill Cosby would say, “Riiiiiiiight”) Then using a disassembler, he “studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory”. And it just goes on and on like this until he ends up with a realization of who is holding the smoking gun. (No spoilers here, go read the blog post...)
Considering the source -- the brains behind all of SysInternal's investigative tools -- I'm not shocked that Mark was able to do this. But it is so [thankfully] beyond my scope of knowledge of the tool that I use every day, it does truly amaze me. It comes close to stopping to think about how exactly evolution came up with the eyeball and the people who actually understand how it works!