Zero day attacks

A couple of years ago, I along with the team I worked with, assessed zero-day malware as potentially the biggest risk faced by our business. In fact I wrote up a white paper based on research I performed at the time where I stated that “there is a serious danger to the organisation from blended-threats and zero-day exploits” and went on to say that the impact of such could be “catastrophic.”

The time frame over which my paper made the prediction of catastrophy has passed and we’re yet to see the likes of the type of attack that we imagined at that time. We are, however, seeing zero-day vulnerabilities being exploited such as the latest Word vulnerability as reported here on the Computer Security News Portal, and on PowerPoint as discussed by Bruce Schneier here, and we also often hear stories of the likes I mentioned in my blog a few days ago when I reported that “you can already purchase Vista zero day exploits on the web” (see my Feb 5 entry). This blog article is also typical of the types of reports we are getting used to seeing. Such news is no longer a surprise and it no longer causes panic beyond the usual warnings and guidance.

The truth is that zero-day attacks so far have not had the dire consequences on our abilities to go about our business. We’ve yet to see the devastating malicious payload and at the same time our defences have strengthened and our networks become more resilient to attack. Should we still be so worried? This article on the Internet News site makes this point about the motives behind malware: “Hacking is not about getting your 15 minutes of fame anymore. Cybercrime is a multi-million dollar global business.” It’s a good point because we’re led to believe that many of the individuals writing malware are increasingly motivated by financial gain and the “Return on attack” as opposed to simply causing damage for damage sake. It therefore follows that where some zero-days are being exploited, there’s a likelihood that it’s happening in a relatively stealthy fashion.

However, some people are still worried. In a recent article published in Network Security Journal, Georgios Portokalidis and Herbert Bos state “new breeds of worms are expected to spread to millions of hosts in minutes, if not seconds” and that our existing systems of detection and prevention are too prone to false positives, unable to check for variance in worm signatures, and only effective against known malware as opposed to zero-day attacks. They go on to discuss a system called Sweetbait which addresses “the problem of fast worms by means of honeypots.” The paper makes for interesting reading and the full citation is as follows:

SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots

Computer Networks, Volume 51, Issue 5, 11 April 2007, Pages 1256-1274

Georgios Portokalidis and Herbert Bos