What's a "zero-day" attack?

Home » Viruses and Malware

Summary: A zero day attack is very simple: it's exploitation of a vulnerability before there's a fix for that vulnerability. We'll look at what that means.

The very nature of "zero day" exploits is that your virus scanner would show that you were clean both before and after being infected. It's not until your anti-virus software provider updates their virus databases and you then take that update that your scanner would know what to look for.

Yes, that means you may still be infected.

Let's go through the timeline that got you here.

•

There are security vulnerabilities in Windows (and most all operating systems to varying degrees) that have not yet been discovered. If no one knows they're there then it's not an immediate threat, because hackers can't exploit things they don't know exist.

Not infrequently one of "the good guys" will discover a vulnerability but keep it a secret so that malware authors don't find out about it and start to exploit it. Instead, the "good guy" contacts Microsoft and tells them about the issue so that a patch to Windows can be made available before the vulnerability becomes general knowledge. Quite often as a not-so-subtle form of encouragement to fix the problem the reporter will also indicate that he or she will make the vulnerability public within a certain amount of time. For example, Microsoft might be given 60 days to release a patch to remove the vulnerability.

That's if one of the good guys finds it first.

If a malware author discovers the problem and releases malware that exploits it then it's too late; systems can already start becoming infected.

If it's discovered "in the wild" before a fix is available, then Microsoft has zero days to fix the problem. Hence, a "zero day" exploit, vulnerability, or attack.

Let's look at that timeline a little more closely:

Zero Day Exploit Timeline

Step by step:

• Vulnerability Introduced: 99 times out of 100 this is a simple programming error or oversight that could quite literally have happened years ago. The problem could have existed for that entire time, but again, if no one knows about it then there's no one to exploit it, so it remains benign.

• Vulnerability Discovered by Hackers: once a new vulnerability is discovered the race is on. Hackers will try to keep the nature of the problem to themselves for as long as possible so as to delay as long as possible any patch that might remove it.

  This begins what I'm calling the Window of Complete Vulnerability: there's a bug in the operating system, there is malware that exploits it, anti-malware software does not yet detect the new malware, and there is no fix for the problem in Windows. In essence, there's little you can do at this point.†

• Malware Exploiting the Vulnerability Discovered by Anti-Malware Vendors: at some point the existence of the problem becomes public knowledge, usually in the form of finding and then reverse engineering malware that somehow exploits it.

• Exploiting Malware detection added to Anti-Malware Databases: as new viruses and spyware are detected, the anti-malware vendors keep adding information to detect those to their databases. This is why it's so critical that you keep your anti-virus and anti-spyware databases as up to date as possible. Without the latest updates your scanners will not know how to detect the latest threats.

  This is also the beginning of what I loosely call the period of Partial Vulnerability. Some, though of course not all, of the malware that makes use of the recently discovered exploit can now be detected and blocked by anti-malware tools. This is only partial safety: the operating system vulnerability still exists and there is no fix for it yet, and new viruses and spyware will be written making use of the same vulnerability and staying one step ahead of the anti-malware vendors database updates.

• Vulnerability Fixed by System Patch or Update: at some point Microsoft will release a patch that fixes the underlying problem. Systems that have been updated to include the patch are now safe from this vulnerability and malware that attempts to exploit the problem on those systems will now fail to do so. That's why it's so important to make sure your system is updated regularly in addition to just keeping your anti-malware databases up to date.

Like I said, it's a race. In the best of cases Microsoft has some time to release a patch to prevent a vulnerability from being exploited.

Unfortunately it's all too common that they have zero days to do so.

If you find yourself in the situation that you describe, here's a couple of suggestions:

• Try a system restore to a point prior to your infection. This isn't guaranteed to undo all infections, but depending on the specific malware involved it might.

• Check with your anti-virus or anti-spyware vendor immediately, or at least force an update of those respective databases and re-scan. And keep updating that database regularly - I recommend daily.

• If you can figure out what it was that caused the infection ... well, don't do that again.

† Naturally there are other things you can do to stay safe, just not related to this specific vulnerability or any malware that exploits it. Those things include the standard recommendations of not opening attachments from untrusted sources, being behind a firewall, not visiting untrustworthy web sites, and so on.

Related:

• Ask Leo! - Internet Safety: How do I keep my computer safe on the internet?

Article 11945 | Posted October 27, 2007