MoMusings

What is a Zero-Day Exploit?

A zero-day exploit is when the exploit for a vulnerability (a flaw/hole) in a product is created before, or on the same day as the vulnerability is learned about by the vendor. It is often also used to describe a situation where a vulnerability is exploited before the vendor has a patch available for their customers.

So far this year we’ve seen at least one so-called ‘Zero-Day’ worm…

What Applications Have Been Targeted?
Black Ice Defender (Witty.worm), almost a Zero-Day worm (+2
Days).

According to Joe Stewart of LURHQ “A vulnerability alert for the ISS products was released on March 18, and the worm [Witty] began spreading March 20. The writer of the worm either knew of the vulnerability before the announcement or wrote and tested the worm in less than two days.”

It is estimated that around 12,000 unpatched systems were infected. What is more worrying is that Witty was intentionally destructive - the worm slowly corrupts the file system of the infected host while it continues to find new hosts for it to spread to.

http://www.f-secure.com/v-descs/witty.shtml

Internet Explorer (MyDoom.AG/Bofra.A/C), a real honest to [insert deity of choice here] Zero-Day worm.

This was discovered on the 9th of November 2004 - Still no patch from Microsoft yet (17th November 2004) for the vulnerability it used. So if you are not running Windows XP with service pack 2 (SP2) [or another non-vulnerable OS, such as Linux, MacOs, etc.] then you may be exposed.

http://www.f-secure.com/v-descs/bofra_c.shtml

Windows NT,2K,XP and Server 2003 (Golten/Alor), +30 Days.

This worm uses the vulnerability described in the Microsoft Security Bulletin known
as MS04-032.

http://www.f-secure.com/v-descs/aler.shtml

Worst ever?
Back in 2001 we saw a ‘real’ Zero-Day worm (well a Minus Twenty Two-Day
worm to be exact)…..

W32.Fever@mm was launched on the 7th of March but no patch was made available to plug the vulnerability until the 29th of the same month, that’s a whopping 22 days later!

http://www.f-secure.com/v-descs/fever.shtml

The Shrinking Window…
The size of the window between a new vulnerability being found and a piece of malware being created and released is getting smaller, it matters little if there is a patch available as most end-users never, or rarely patch their systems.

In the ‘old-days’ it could [and did] take years for such malware to be written and released, the threat landscape has changed beyond recognition in the last 3 years.

Now, we have new malware using vulnerabilities that are barely out of nappies, a few months old at most, others are new-borns and not even back at home yet, and [thankfully] even fewer that are still in the process of birth [vendor not yet informed].

What Can we expect for the future?

The general trend is towards a very small [or non-existent] time-frame between a new vulnerability being announced/found, exploit code being written, and finally malware using this as a method of entry into a vulnerable system being released. So, to answer the question I posed in the title of this blog entry, the threat is real [and becoming more real all the time], however there is still a lot of hype out there….

Links:

http://www.computerworld.com/securitytopics/security/virus/story/0,10801,91528,00.html

http://www.microsoft.com/technet/security/bulletin/MS04-032.mspx

Postscript:
Just remember that only a small percentage of malware relies on vulnerabilities to get into and onto systems, so just because you are fully patched does not make you immune to malware….but that’s another posting.