Zero Day Attacks

What you need to know to protect your computer

In 2010, a sophisticated virus was discovered on computers that were part of the network controlling uranium enrichment plants in Iran. The virus, eventually named Stuxnet, had been designed to destroy physical assets. This was the first time that a malicious virus had been created, not to steal data, but to physically damage equipment that was controlled by a computer network.

Regin Malware

What is not well known about Stuxnet is that it used a total of five, zero day exploits to replicate and spread itself through the computer network. The exploits are simply code that has been designed to attack computer software through previously unknown vulnerabilities.

Because zero day attacks are aimed at unknown vulnerabilities, there is no way to protect a computer or network from them. Hackers and cyber-criminals discover these vulnerabilities and develop zero day exploits to attack a computer system. Once they have gained access, they can insert a virus or Trojan horse into the now compromised system.

In addition to the criminal uses, governments and the military use zero day exploits to sabotage or perform surveillance on an enemy. The use of Stuxnet against the Iranian nuclear program was such a program carried out by the government of the United States.

With the success of Stuxnet, zero day exploits have become big business. Governments, underground hackers and even talented amateurs are searching out and cataloging zero day exploits and selling them to the highest bidder. Whether that buyer is a government or a criminal organization, they have access to an undetected and undetectable way to compromise a computer system’s security.

That is what makes the zero day attacks so terrifying to large corporations, banks and government agencies. Stuxnet showed what could happen by using a zero day exploit to cause physical damage. If zero day attacks are unleashed against large commercial targets, the damage could easily run into the billions of dollars and there is no way to stop it.

On the other end of the spectrum, exploited webpages that download malware to your system or infected word or adobe documents can all be considered zero day vulnerabilities before they are discovered and fixed. These sites or documents exploit a vulnerability on your system and are fairly common, but tend to have random results. Targeting companies or organizations using these types of attacks is inefficient and easily stopped.

In 2010, there were a total of fourteen zero day vulnerabilities documented by Symantec throughout the world. The period between 2006 and 2011 saw a total of 71 incidents that met Symantec’s criteria. Although this may seem like a small number of exploits, each of them leads to an attack on a computer system or network.

Zero day exploits that target major organizations are thankfully rare, but can cause considerable damage when they get through. A year ago a zero day vulnerability was discovered on a politically important website. Although Microsoft had identified the exploit before it was imbedded, the patch had not been issued. The malware was linked to Chinese cyber-espionage agents and was targeted at visitors who were interested in national and international security policy. Microsoft quickly updated its malware protection.

Renewed calls for protection of our country’s power grid and critical industries demonstrate that the government is taking the possibility of new zero day attacks emerging seriously. The Department of Homeland Security (DHS), tasked with defending US nation’s infrastructure, has struggled with keeping up with technical advances and have not proven themselves effective in this role.

The commercial sector, unfortunately, has not fared much better. The threat landscape for large enterprises includes well-funded efforts at cyber-crime, including the attack on JPMorgan by Russian hackers earlier this year. Criminal or state backed efforts aimed at stealing intellectual or physical property are challenges that will only increase in the coming years as more of these zero day vulnerabilities are discovered and exploited.

Commercially, this makes a CIOs job a living nightmare. Until now, ensuring availability and controlling costs have been the largest challenges facing technical departments. Equal attention needs to be paid to providing security for their network against an unknown enemy who will be using an undetectable tool that can exploit an unstoppable vulnerability. The only good thing about zero day vulnerabilities is the short window that they are usually active. Once discovered, the lifespan of a zero day vulnerability is measured in the length of time before your next security update.

Ali Bitazar is Well-known Network Security Expert