Zero-days: Exploits that Take Advantage of the Unknown

zero-day attack_header
In some ways, protecting your computer safe can be thought of the same way as protecting your home.

In both cases, you have to be concerned about people breaking in, and in both your computer and your home, you need to be sure to lock the doors and turn on the alarm. But what happens if there are doors or windows at your house that you did not realize were open? Suddenly, fortifying your home just became more complicated.

It is this reality that computers users face ever day in cyberspace as attackers seek out new ways to compromise computers. In this digital warzone, the battle is not always conducted using well-known vulnerabilities in code. Sometimes, the most sophisticated hackers use unknown, unpatched security vulnerabilities known as zero-days to take control of targeted machines and get their hands on sensitive information – everything from your online banking credentials to your email passwords and other data.

Changing Attack Scenarios
So far, 2013 has seen a number of these types of vulnerabilities affecting applications as popular as Adobe Flash Player and Internet Explorer. Often, these attacks hit users via “waterhole attacks”. In that scenario, an attacker compromises a legitimate website and waits for users to log on. These attacks are typically aided by spam campaigns designed to entice victims into visiting the sites the attackers have compromised.

Adding to the problem is the proliferation of exploit kits. Exploit kits are crimeware applications that automate attacks on vulnerabilities. They can be sold for thousands of dollars or rented for as little as $40 a day. While they often take advantage of older software or operating system vulnerabilities that users have failed to patch, it is not uncommon for criminals to use zero-days because of the likelihood that they can slip under the radar for long periods. Take for example the security patch Microsoft pushed out in October to address the zero-day vulnerabilities discovered in Internet Explorer. Though the patch was made in October, the vulnerability was actually getting exploited all the back to August.

The Evolution of Antivirus Products
At one time, antivirus products relied solely on signatures to detect individual types of malware and attacks. As time marched on however, hackers grew sneakier – they started using what is known as polymorphic code, which changes each time it runs. This innovation made relying only on signature-based detection obsolete in regards to detecting the newer attacks and strains of computers viruses.

In response to this challenge, several years ago antivirus vendors turned to heuristic analysis as a means of detecting zero-day exploits and prevent them from wreaking havoc on infected machines. Heuristics puts the focus on finding bad behavior – specifically, it allows antivirus software to analyze the commands performed on the computer to identify suspicious behavior such as file overwrites or attempts to hide particular files. Focusing on what a file does as opposed to just the code itself gives security products a leg up in defending against zero-day attacks and brand new malware.

A similar concept underlies an approach called virtual patching. This approach is utilized by Web application firewalls and intrusion prevention systems. A virtual patch seeks to block zero-day exploits from striking targeted applications without modifying the application’s source code. This enables organizations to mitigate the risk of an attack in the short term while waiting on the vendor to provide a permanent fix. Virtual patching however does not single-handedly solve the problem of zero-days however as it may not necessarily block every way a particular vulnerability may be exploited.

Protection Means Being Constantly Vigilant
For home users, counting on companies to have virtual patches at the ready to protect their own systems and applications – and by extension your own if you are visiting their website – is wishful thinking. As contradictory as it may sound, one of the first ways users should defend against unknown threats is to ensure they are protected against the ones that are known. Users should make sure their computers are fully up-to-date, from the operating system to the applications. By doing this, users may be able to limit the amount of damage to their machine in the event a zero-day attack slips under the radar. This is partly because attackers sometimes use multiple vulnerabilities when they attempt to compromise a system.

To that point, one of the most effective – and least often used – mitigations against attacks is to run the system with the least amount of privileges necessary. Most users like to run their computers as administrators. However several surveys have shown that running computers in a more restricted mode limits the spread of infections, erecting one more hurdle between a user and an attacker looking to install malicious programs or perform other actions.

Defending against the unknown is difficult. But it is not impossible. Just like the responsible homeowner, you lock down the threats you know about – and keep your eyes peeled for the ones you don’t.

5 thoughts on “Zero-days: Exploits that Take Advantage of the Unknown

  1. Hmmm – never thought of not logging on as an ‘administrator’ but of course you’re right – most of the time we don’t need to but do anyway without thinking. Good tip. I’ll have to set up a less-entitled user on my machine.
    Thanks, Carol.

  2. Application control within Zonealarm is a great way to stop unknown malware from accessing the net to download trojans and more malware. But what happens if the malware makes a new executable with a different name and runs that and then those two executables make two more with different names and then those four….8, 16, 32, 64…… etc?

    How long before Zone Alarm’s application control becomes overwhelmed and gives up? What happens when it gives up? Does it reset and delete all the programs with everything set to Auto and the default being allow? Wouldn’t that allow malware to download from the internet…….?

Leave a Reply

Your email address will not be published. Required fields are marked *


2 + one =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>