Summary: A zero day attack is very simple: it's exploitation of a vulnerability before there's a fix for that vulnerability. We'll look at what that means.
Can you tell me more about zero-day drive-by attacks? I experienced one on my fully updated and patched Vista Home Premium Computer (Automatic Windows Update ON) which has Norton Internet Security 2007 and latest AdAware 2007. I saw the hacked behavior and immediately turned off my computer. Scanning both before and after this attack showed no prior or present malware infection. Is this the best response for such attacks as it appears to have successfully prevented malware infection by this drive-by attack that I experienced?
•
The very nature of "zero day" exploits is that your virus scanner would show that you were clean both before and after being infected. It's not until your anti-virus software provider updates their virus databases and you then take that update that your scanner would know what to look for.
Yes, that means you may still be infected.
Let's go through the timeline that got you here.
•
There are security vulnerabilities in Windows (and most all operating systems to varying degrees) that have not yet been discovered. If no one knows they're there then it's not an immediate threat, because hackers can't exploit things they don't know exist.
Not infrequently one of "the good guys" will discover a vulnerability but keep it a secret so that malware authors don't find out about it and start to exploit it. Instead, the "good guy" contacts Microsoft and tells them about the issue so that a patch to Windows can be made available before the vulnerability becomes general knowledge. Quite often as a not-so-subtle form of encouragement to fix the problem the reporter will also indicate that he or she will make the vulnerability public within a certain amount of time. For example, Microsoft might be given 60 days to release a patch to remove the vulnerability.
That's if one of the good guys finds it first.
If a malware author discovers the problem and releases malware that exploits it then it's too late; systems can already start becoming infected.
If it's discovered "in the wild" before a fix is available, then Microsoft has zero days to fix the problem. Hence, a "zero day" exploit, vulnerability, or attack.
Let's look at that timeline a little more closely:
Zero Day Exploit Timeline
Step by step:
-
Vulnerability Introduced: 99 times out of 100 this is a simple programming error or oversight that could quite literally have happened years ago. The problem could have existed for that entire time, but again, if no one knows about it then there's no one to exploit it, so it remains benign.
-
Vulnerability Discovered by Hackers: once a new vulnerability is discovered the race is on. Hackers will try to keep the nature of the problem to themselves for as long as possible so as to delay as long as possible any patch that might remove it.
This begins what I'm calling the Window of Complete Vulnerability: there's a bug in the operating system, there is malware that exploits it, anti-malware software does not yet detect the new malware, and there is no fix for the problem in Windows. In essence, there's little you can do at this point.†
-
Malware Exploiting the Vulnerability Discovered by Anti-Malware Vendors: at some point the existence of the problem becomes public knowledge, usually in the form of finding and then reverse engineering malware that somehow exploits it.
-
Exploiting Malware detection added to Anti-Malware Databases: as new viruses and spyware are detected, the anti-malware vendors keep adding information to detect those to their databases. This is why it's so critical that you keep your anti-virus and anti-spyware databases as up to date as possible. Without the latest updates your scanners will not know how to detect the latest threats.
This is also the beginning of what I loosely call the period of Partial Vulnerability. Some, though of course not all, of the malware that makes use of the recently discovered exploit can now be detected and blocked by anti-malware tools. This is only partial safety: the operating system vulnerability still exists and there is no fix for it yet, and new viruses and spyware will be written making use of the same vulnerability and staying one step ahead of the anti-malware vendors database updates.
-
Vulnerability Fixed by System Patch or Update: at some point Microsoft will release a patch that fixes the underlying problem. Systems that have been updated to include the patch are now safe from this vulnerability and malware that attempts to exploit the problem on those systems will now fail to do so. That's why it's so important to make sure your system is updated regularly in addition to just keeping your anti-malware databases up to date.
Like I said, it's a race. In the best of cases Microsoft has some time to release a patch to prevent a vulnerability from being exploited.
Unfortunately it's all too common that they have zero days to do so.
If you find yourself in the situation that you describe, here's a couple of suggestions:
-
Try a system restore to a point prior to your infection. This isn't guaranteed to undo all infections, but depending on the specific malware involved it might.
-
Check with your anti-virus or anti-spyware vendor immediately, or at least force an update of those respective databases and re-scan. And keep updating that database regularly - I recommend daily.
-
If you can figure out what it was that caused the infection ... well, don't do that again.
† Naturally there are other things you can do to stay safe, just not related to this specific vulnerability or any malware that exploits it. Those things include the standard recommendations of not opening attachments from untrusted sources, being behind a firewall, not visiting untrustworthy web sites, and so on.
Related:
Article C3195 - October 27, 2007
One thing to consider - in Norton Internet Security 2008, Symantec introduced an improvement to it's Intrusion Prevention technology that protects against even obfuscated exploits targeted at IE and ActiveX components in IE. If you've got a current copy of NIS 07, then you can update to NIS 08 for free, FYI. The link is
http://www.symantec.com/home_homeoffice/support/special/upgrade2007/vista/migration_start.jsp?site=nuc
- I don't know why it says Vista in the link.
Posted by: EJPJ at October 29, 2007 10:02 AMYou must have NIS 2008 installed already for the above link to work.
Posted by: SWB at November 2, 2007 7:18 PMThe Drive-by Attack, probably a Zero-Day one (as my computer was fully updated and patched) that I experienced, attempted a download of malware which I successfully aborted before its completion by switching my computer off manually. In such a case would there be a possiblity of malware infection?
Posted by: Frank Braganza at November 3, 2007 8:38 AM-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It seems unlikely that you'd be infected, but there's really no way to know
*for certain* that you're not. Did you turn it off in time? How would you know?
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFHL8YOCMEe9B/8oqERAtI6AJ9+bx1aqZ+9ndWyBC2S/2CjLMOlhwCeJv/K
Posted by: Leo A. Notenboom at November 5, 2007 5:40 PMU9wiJESKNrv8cq3WGDtzEXQ=
=2Req
-----END PGP SIGNATURE-----