Zero Days: A Free Pass

Friday, October 19, 2012 @ 12:10 PM gHale

Zero Day attacks last anywhere between 19 days and 30 months, with an average being 312 days, or 10 months, which means targeted organizations end up severely compromised by malware attacking undisclosed vulnerabilities, a new study said.

“For cyber criminals, unpatched vulnerabilities in popular software such as Microsoft Office or Adobe Flash represent a free pass to any target they might wish to attack, from Fortune 500 companies to millions of consumer PCs around the world,” said Leyla Bilge and Tudor Dumitras, researchers at Symantec Research Labs who conducted a study over a period of malware activity on a host of Symantec detection platforms from 2008 to 2011 and quantified the window of exposure organizations face from attacks before vulnerabilities end up publicly disclosed.

Attackers Target Sites Victims Visit
Cyber Espionage: Energy Firms Eyed
Flame Siblings Remain Undetected
Flame Goes into Delete Mode

Once Zero Day vulnerabilities become public, attacks spike, and most within 30 days of disclosure, the researchers said.

“Cyber criminals watch closely the disclosure of new vulnerabilities in order to start exploiting them which causes a significant risk for end users,” the paper said.

The researchers found 18 Zero Day vulnerabilities starting in February 2008 to the end of last year: three in 2008; seven in 2009; six in 2010; and two in 2011. Fifteen of the Zero Days targeted fewer than 1,000 hosts, while the other three (Stuxnet and its variants; Conficker and its variants; and a Bloodhound Exploit) infected hundreds of thousands of machines before detection. They also discovered patching processes are still lacking in organizations as more than 58 percent of antivirus signatures for these Zero Days remain active today, years after disclosure in some cases.

“When disclosed vulnerabilities are left unpatched, this creates an opportunity for cyber criminals to create additional exploits and to conduct attacks on a larger scale; however these attacks can usually be detected by an antivirus program with up-to-date definitions,” the paper said.

The researchers conducted their study based on data gathered by Symantec’s proprietary Worldwide Intelligence Network Environment (WINE), fed by hosts running Symantec security products that are opted-in to share data with the network. From this, the researchers extracted two sets of data, antivirus telemetry, which are detections of known threats for which Symantec has a signature available and deployed; and binary reputation data, a report of benign and malicious binaries downloaded on hosts. This included 32 billion reports and 300 million distinct files on 11 million hosts, the paper said.

They correlated these data sets with information from the Open Source Vulnerability Database (OSVDB), Symantec’s Threat Explorer, a representative list of malware observed by Symantec, and a Symantec data set with dynamic analysis results for malware samples, the paper said.

“It seems that, as long as software will have bugs and the development of exploits for new vulnerabilities will be a profitable activity, we will be exposed to Zero Day attacks,” the paper said. “In fact, 60 percent of the Zero Day vulnerabilities we identify in our study were not known before, which suggests that there are many more Zero Day attacks than previously thought, perhaps more than twice as many.”

Leave a Reply

You must be logged in to post a comment.