Mark Russinovich

Last updated

Mark Russinovich
Mark Russinovich.jpg
Russinovich at PDC 2010, October 2010
Born (1966-12-22) December 22, 1966 (age 57)
Salamanca, Spain
Occupation CTO of Microsoft Azure
Employer Microsoft
Known forCo-founder of Winternals Software and Sysinternals.com; LiveKd [1]
Website markrussinovich.com

Mark Eugene Russinovich (born December 22, 1966) is a Spanish-born American software engineer and author who serves as CTO of Microsoft Azure. He was a cofounder of software producers Winternals before Microsoft acquired it in 2006.

Contents

Early life and education

Russinovich was born in Salamanca, Spain and was raised in Birmingham, Alabama, United States, until he was 15, when he moved with his family to Pittsburgh, Pennsylvania. His father was a radiologist and his mother was a business administrator of his father's radiology practice in Pittsburgh. Russinovich is of Croatian descent. [2]

He was introduced to computers when his friend's father got an Apple II in the 1970s. He reverse-engineered its ROM program and wrote programs for it. At age 15, he bought himself his first computer, a TI-99/4A. About six months later, his parents bought him an Apple II+ from his local high school when it upgraded the computer labs to Apple IIes. He also wrote magazine articles about Apple II. [3]

In 1989, Russinovich earned his Bachelor of Science degree in computer engineering from Carnegie Mellon University, where he was a member of the Pi Kappa Alpha Beta Sigma chapter. The following year he received a Master of Science degree in computer engineering from Rensselaer Polytechnic Institute. He later returned to Carnegie Mellon, where he received a Ph.D. in computer engineering in 1994 [4] with the thesis Application-Transparent Fault Management [5] under the supervision of Zary Segall.

Career

From September 1994 through February 1996, Russinovich was a research associate with the University of Oregon's computer science department. From February through September 1996 he was a developer with NuMega Technologies, where he worked on performance-monitoring software for Windows NT. [6]

In 1996, he and Bryce Cogswell cofounded Winternals Software, where Russinovich served as Chief Software Architect, and the web site sysinternals.com, where Russinovich wrote and published dozens of popular Windows administration and diagnostic utilities including Autoruns, Filemon, Regmon, Process Explorer, TCPView, and RootkitRevealer.

From September 1996 through September 1997, he was a consulting associate at OSR Open Systems Resources, Inc., based in Amherst, New Hampshire. From September 1997 through March 2000, he was a research staff member at IBM's Thomas J. Watson Research Center, researching operating system support for Web server acceleration and serving as an operating systems expert. [6]

Russinovich joined Microsoft in 2006 when it acquired Winternals.

As an author, Russinovich is a regular contributor to TechNet Magazine and Windows IT Pro magazine (previously Windows NT Magazine) on the Architecture of Windows 2000, and was co-author of Inside Windows 2000 (Third Edition). He wrote many tools used by Windows NT and Windows 2000 kernel-mode programmers, and the NTFS file system driver for DOS.

Works

In 1996, Russinovich discovered that altering two values in the Windows Registry of the Workstation edition of Windows NT 4.0 changed the installation so it was recognized as a Windows NT Server and allowed the installation of Microsoft BackOffice products which were licensed only for the Server edition. [7] The registry key values were guarded by a worker thread to detect tampering; later, a program called NT Tune was released to kill the monitor thread and change the values.

Russinovich wrote LiveKD, a utility included with the book Inside Windows 2000. As of 2022, the utility is readily available to download. [1]

In 2005, Russinovich discovered the Sony rootkit in Sony DRM products, whose function was to prevent users from copying their media. [6]

In January 2006, Russinovich discovered a rootkit in Norton SystemWorks by Symantec. Symantec immediately removed the rootkit. [8] [9] [10] He also analyzed the Windows Metafile vulnerability and concluded that it was not a deliberate backdoor. [11] This possibility had been raised—although tentatively—by Steve Gibson after a cursory investigation of the nature of the exploit and its mechanism. [12]

Russinovich's novels Zero Day (foreword by Howard Schmidt) [13] and Trojan Horse (foreword by Kevin Mitnick) were published by Thomas Dunne Books on March 15, 2011 and September 4, 2012, parts of a series of popular techno-thrillers that have attracted praise from industry insiders such as Mikko Hyppönen and Daniel Suarez. [13] [14] A short story, "Operation Desolation", [15] was published just before Trojan Horse and takes place one year after the events of Zero Day. Book 3, Rogue Code: A Novel (Jeff Aiken Series, May 2014) deals with vulnerabilities of the NYSE. It has a foreword by Haim Bodek, author of The Problem of HFT: Collected Writings on High Frequency Trading & Stock Market Structure Reform. [13] [16]

Computer books

Novels

Articles

Videos

Related Research Articles

Back Orifice is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a play on words on Microsoft BackOffice Server software. It can also control multiple computers at the same time using imaging.

<span class="mw-page-title-main">Back Orifice 2000</span> Computer program for remote administration

Back Orifice 2000 is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

<span class="mw-page-title-main">Windows NT 3.5</span> Second major release of Windows NT, released in 1994

Windows NT 3.5 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was released on September 21, 1994, as the successor to Windows NT 3.1 and the predecessor to Windows NT 3.51.

PageDefrag is a program, developed by Sysinternals, for Microsoft Windows that runs at start-up to defragment the virtual memory page file, the registry files and the Event Viewer's logs.

Svchost.exe is a system process that can host one or more Windows services in the Windows NT family of operating systems. Svchost is essential in the implementation of shared service processes, where a number of services can share a process in order to reduce resource consumption. Grouping multiple services into a single process conserves computing resources, and this consideration was of particular concern to NT designers because creating Windows processes takes more time and consumes more memory than in other operating systems, e.g. in the Unix family. However, if one of the services causes an unhandled exception, the entire process may crash. In addition, identifying component services can be more difficult for end users. Problems with various hosted services, particularly with Windows Update, get reported by users as involving svchost.

A registry cleaner is a class of utility software designed for the Microsoft Windows operating system, whose purpose is to remove redundant items from the Windows Registry.

<span class="mw-page-title-main">Extended Copy Protection</span> Copy protection rootkit by Sony BMG

Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet and sold as a copy protection or digital rights management (DRM) scheme for Compact Discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony BMG CD copy protection scandal; in that context it is also known as the Sony rootkit.

<span class="mw-page-title-main">Sony BMG copy protection rootkit scandal</span> Sony BMGs implementation of copy protection measures

In 2005 it was revealed that the implementation of copy protection measures on about 22 million CDs distributed by Sony BMG installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.

Windows Sysinternals is a website that offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Originally, the Sysinternals website was created in 1996 and was operated by the company Winternals Software LP, which was located in Austin, Texas. It was started by software developers Bryce Cogswell and Mark Russinovich. Microsoft acquired Winternals and its assets on July 18, 2006.

The system partition and the boot partition are computing terms for disk partitions of a hard disk drive or solid-state drive that must exist and be properly configured for a computer to operate. There are two different definitions for these terms: the common definition and the Microsoft definition.

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life, and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed without affecting the security attributes of objects that refer to the principal.

The Client/Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem. In modern versions of Windows, it is primarily involved with process and thread management, console window handling, side-by-side assembly loading and the shutdown process. Historically, it had also been responsible for window management and graphics rendering, however, these operations have been moved to kernel mode starting with Windows NT 4.0 to improve performance.

<span class="mw-page-title-main">Microsoft Drive Optimizer</span> Windows utility which defragments a hard drive

Microsoft Drive Optimizer is a utility in Microsoft Windows designed to increase data access speed by rearranging files stored on a disk to occupy contiguous storage locations, a technique called defragmentation. Microsoft Drive Optimizer was first officially shipped with Windows XP.

Process Monitor is a tool from Windows Sysinternals, part of the Microsoft TechNet website. The tool monitors and displays in real-time all file system activity on a Microsoft Windows or Unix-like operating system. It combines two older tools, FileMon and RegMon and is used in system administration, computer forensics, and application debugging.

Michael Gregory Hoglund is an American author, researcher, and serial entrepreneur in the cyber security industry. He is the founder of several companies, including Cenzic, HBGary and Outlier Security. Hoglund contributed early research to the field of rootkits, software exploitation, buffer overflows, and online game hacking. His later work focused on computer forensics, physical memory forensics, malware detection, and attribution of hackers. He holds a patent on fault injection methods for software testing, and fuzzy hashing for computer forensics. Due to an email leak in 2011, Hoglund is well known to have worked for the U.S. Government and Intelligence Community in the development of rootkits and exploit material. It was also shown that he and his team at HBGary had performed a great deal of research on Chinese Government hackers commonly known as APT. For a time, his company HBGary was the target of a great deal of media coverage and controversy following the 2011 email leak. HBGary was later acquired by a large defense contractor.

<span class="mw-page-title-main">Microsoft Security Essentials</span> Discontinued antivirus product for Microsoft Windows

Microsoft Security Essentials (MSE) is a discontinued antivirus software (AV) product that provides protection against different types of malicious software, such as computer viruses, spyware, rootkits, and Trojan horses. Prior to version 4.5, MSE ran on Windows XP, Windows Vista, and Windows 7, but not on Windows 8 and later versions, which have built-in AV components known as Windows Defender. MSE 4.5 and later versions do not run on Windows XP. The license agreement allows home users and small businesses to install and use the product free of charge.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

References

  1. 1 2 "LiveKd - Windows Sysinternals". March 23, 2021.
  2. Martinović, Ratko (October 28, 2012). "Loš PR u dijaspori – Koje su svjetski poznate osobe podrijetlom Hrvati, a da to niste ni znali" [Bad PR in the Diaspora – What are the world famous people of Croatian descent, and that you did not even know]. Dnevno.hr (in Croatian). Archived from the original on October 30, 2012. Retrieved November 27, 2012.
  3. "Interview with Mark Russinovich by Microsoft Student Partners". YouTube. Archived from the original on December 21, 2021. Retrieved April 15, 2012.
  4. "Mark Russinovich". Making it Big in Software. Making it Big Careers Inc. Archived from the original on December 18, 2010. Retrieved February 13, 2011.
  5. Russinovich, Mark Eugene (1994). Application-transparent fault management (Thesis). ProQuest   304086659.
  6. 1 2 3 "Affidavit of Mark Russinovich in Support of Plaintiffs' Motion for Final Approval of Class Action Settlement" (PDF). United States District Court Southern District of New York. SonySuit.com. April 2, 2005.
  7. Andrew Schulman (September 16, 1996). "Differences Between NT Server and Workstation Are Minimal". O'Reilly and Associates. Archived from the original on April 11, 2018. Retrieved December 4, 2020.
  8. Turner, Suzi (January 11, 2006). "Symantec confesses to using rootkit technology". ZDNet . CBS Interactive . Retrieved November 6, 2012.
  9. "Symantec Norton Protected Recycle Bin Exposure". Security Response. Symantec. January 10, 2006. Archived from the original on October 26, 2012. Retrieved November 11, 2012.
  10. Russinovich, Mark (January 16, 2006). "Rootkits in Commercial Software". Mark Russinovich's Blog. Winternals. Archived from the original on May 13, 2013. Retrieved March 13, 2013.
  11. Russinovich, Mark (January 19, 2006). "Inside the WMF Backdoor". Mark Russinovich's Blog. Winternals . Retrieved March 13, 2013.
  12. Steve Gibson (January 12, 2006). "grc.news.feedback newsgroup". Gibson Research Corporation. Archived from the original on February 21, 2013. Retrieved November 6, 2007. The only conclusion that can reasonably be drawn is that this was a deliberate backdoor put into all of Microsoft's recent editions of Windows.
  13. 1 2 3 Russinovich, Mark (March 15, 2011). Zero Day: A Novel. St. Martin's Press. ISBN   978-0312612467.
  14. Trojan Horse: A Novel. Thomas Dunne Books. September 4, 2012. Retrieved November 11, 2012.
  15. Operation Desolation: A Short Story. Thomas Dunne Books. August 7, 2012. Retrieved June 1, 2014.
  16. Russinovich, Mark (2014). Rogue Code: A Novel. Jeff Aiken series. foreword by Haim Bodek (son of American physicist Arie Bodek). Thomas Dunne Books. ISBN   978-1250035370. Archived from the original on November 24, 2017. Retrieved November 29, 2017.