TBT: HP Image goes dead. Long live IMAGE
HP-UX marks time after five years

Zero day attacks: reports are dangerous, too

Malware bugNews has started to roil through the Android community about a fresh MMS attack vector for those devices, and last month reports rolled out about a similarly dangerous zero-day malware attack for Apple iOS. But what is zero day, and how can the news of these exploits be as damaging as the malware itself? Our security expert Steve Hardwick explains in this edition of Essential Skills, covering the non-3000 skillset for multi-talented MPE pros.

By Steve Hardwick, CISSP

Many computer users do not understand the term Zero Day and why it is so serious. To understand the term, it is first necessary to understand how an exploit works. In general, there are different types of exploits used on computers

1. Social attacks, phishing for example, which cause a user to unintentionally disclose information to a hacker.

2. Trojan horses, viruses that hide in otherwise legitimate applications. Once the legitimate application is launched, the Trojan horse releases the virus it contains.

3. Web attacks that trick users into divulging personal information using weaknesses in browsers and web server software

4. Application and OS attacks that use errors in the code to exploit the computer's programming

With the exception of the first category, these attacks rely on exploiting weaknesses in the underlying operating system and application code that runs on the computer. To be able to prevent this type of illicit access, the mechanism by which the malware is operating must first be understood. Therefore many researchers will examine operating code and look for these types of flaws. So will thousands of hackers. The challenge becomes how to mitigate such a vulnerability before it becomes a virus in the wild. That's where the Zero Day marker comes into play.

The first, obvious response would be to fix the broken code. Although it sounds simple enough, it is not as straightforward as it seems. In order to prevent this type of condition occurring in the first place, software vendors will have development and test cycles that may take days or even weeks to complete. After all, it would not be good to develop a patch for one hole in the code only to create more. So it takes a finite period of time to detect the exploitation method the malware is using and then produce a patch that will fix the hole.

In many cases the research is done behind the scenes, and the security hole is fixed before it ever is exploited by hackers. In other cases a virus is spotted and the failure mechanism is already understood and a patch is in the works. For example, an application is compromised and the developer notices similar conditions can occur in other programs the software vendor produces. 

Another response is to use anti-malware to protect against the threat. One of the main ways that anti-malware works is to look for signature patterns in downloaded or executing code. These patters are stored in a virus definition database. The supplier of the anti-malware solution will develop a profile of the malware and then supply a new definition to the database. As in the distribution of software patches, it takes time to define the profile, produce the signature definition, then test and distribute it. Only when the signature profile has been distributed is the computer system protected again

The time at which the malware is detected is called the zero day — as this starts the clock on the time between the detection and the distribution of the remedy. In the case of the software vendor, this would mean a patch for the broken code. In the case of the anti-malware vendor it is the time to provide the signature and deploy it.

The anti-malware vendor has the advantage that they are not supplying software to the machine. In many respects it is quicker to generate the signature and distribute it. For the software vendor there is the task of verifying that any new code does not affect the operation of the product, nor create any new vulnerabilities.

In either case, it is a race against time between the hackers on one side and the anti-malware or software vendor on the other. Furthermore, the end user is also in the fray. Whether it is a signature definition or a patch, the end user must download and install it. In many cases this can be automated, however, end users must have selected this option in the first place.

So when a zero day virus is announced, it means that the vulnerability has been made public and the software community needs to start to respond. There is a lot of debate as to the merits of announcing zero day exploits. There is concern that lower-skilled hackers will take advantage of the free research, and start to deploy viruses that exploit the disclosed vulnerability. The counter concern, as portrayed in the article about iOS cited at the beginning, is that the software vendor will not act on the research. No matter which side your opinion falls, it does not change the fact that a virus without a known cure is a very dangerous beast.

Comments