Pin Me

How 0-Day Threats Work, and How They Are Stopped

written by: M.S. Smith•edited by: J. F. Amprimoz•updated: 11/11/2011

You've probably heard the term "0-day" before in discussions on PC security, but it's not always apparent what the term means. Here, we're going to take a look at what these threats are, how they're different from other malware, and how they're stopped.

  • slide 1 of 4

    Welcome to the 0-Day

    computer-virus If you want to send shivers up the spine of any IT security employee, just utter the words “0-day threat.” This type of attack is one of the most feared, and when one appears, it causes much uproar among security experts and researchers.

    Why?

    Modern computer security is based on the elimination of known threats. When a security flaw is found, it is patched. When a virus appears, it is cataloged by security companies so that it can be detected and removed. When a Trojan rears its head, it is promptly dissected. The researchers are companies and governments across the globe working hard to uncover flaws and discover viruses, and once uncovered, a solution is found and distributed.

    But with a 0-day threat, that’s not possible, because the malware uses a security flaw that was previously unknown. As such, the malware is able to run about undiscovered until it draws the attention of security researchers. This usually isn't a long time, but even once the alarm is raised, that is only the first step - because the flaw being exploited was unknown, there's no patch in the works for it.

    That, obviously, is a bit disconcerting. A fix can be developed, but depending on the malware and the flaw it uses, developing it and distributing it could take days, even weeks. In the meantime, the threat can more or less run wild, uninhibited by security software.

  • slide 2 of 4

    What Do They Do?

    Any malware that infects a PC can then attempt to carry out one or more tasks, commonly called its payload, on a computer. The payload might be creating a backdoor that can later be used to take over a PC, or it might be to attack certain files, or it might install a keylogger. All sorts of malwares use these payloads, including 0-day threats.

    Normal malware threats and 0-day threats are different only because the latter uses a previously unknown flaw to spread. This means the 0-day threat can spread uninhibited, but it doesn't necessarily mean the impact of the threat is more severe than known malware. The Duqu virus, for example, received a lot of media attention because of its sophisticated use of an unknown loophole in embedded font technology, reaching right into the Windows OS kernel, but it has yet to inflict serious damage on the computing public. Some theorize that Duqu is using all of that sophistication to go after a very specific target or targets of the kind important to a nation state's intelligence or covert activity.

    While the ramifications of that could be quite far reaching in geo-political terms, it's drastically unlikely that this kind of refinement would go into trying to deliver traditional payloads meant to get your credit card numbers or make your computer spam on a hacker's behalf. Unfortunately less sophisticated hackers will eventually work 0-day exploits into their efforts and include payloads more suited to their needs, but by that time patches to prevent infection should be available.

  • slide 3 of 4

    Protecting Against the Unknown

    Obviously, protection against a threat that is entirely unknown can be difficult. Often, the security flaw exploited has something to do with an operating system’s networking capabilities, thus letting the malware spread as a worm, self-replicating as it goes along. But that’s not always the case. The recent Duqu virus, for example, spreads via Word document attachments.

    You can provide some protection for yourself, however, by exercising best security practices. Anything that would protect you against known threats can also help with the unknown, this includes:

    Anti-virus software - A unknown threat won’t be caught during normal scans because it is not in the software’s virus definitions, but many anti-virus suites can detect potential viruses based on their actions and make an attempt to shut down or quarantine the virus.

    Firewalls – Always a good idea, a firewall will protect your computer from unauthorized network access, which dramatically increases your protection against any threat, 0-day or not, that spreads itself automatically using network security flaws.

    OS Patches – Unknown threats don’t always attack computers that have the latest software, but may instead use a previously unknown threat in an older operating system or older version of an operating system. Also, patches that address a 0-day threat only work if you install them, otherwise you are as vulnerable as you were when the threat first came out, and more and more unsophisticated hackers may be copying the exploit first revealed in the 0-day threat, increasing the number of attacks on that vulnerability. By keeping your OS and AV patched, you can avoid new unknown threats on older versions, and recently unknown threats for which patches have been developed since day 0.

    Permission Restrictions – Both Windows 7 and Mac OS X have built-in permission restrictions that will prompt you for authorization when software that requires admin privileges is trying to run. DO NOT TURN THIS FEATURE OFF. Yes, it can be annoying, but it’s also an effective line of defense.

  • slide 4 of 4

    It's a Crazy Internet

    As is always the case with security solutions, nothing is "bullet-proof," so to speak. You may be able to limit your exposure by not opening unknown files sent via email, but that won't help you if a 0-day threat (like Duqu) is lurking unknown on a friend or co-worker's computer. Hackers across the globe are, for various reasons, creating clever new threats that surprise even veteran security experts.

    However, by taking the common steps above, you can offer yourself a much better chance of warding off any malware. Even if an infection occurs, you or your security software may be able to slow and/or stop it before it fully installs or delivers its entire payload in your system. Quarantining with a security suite will usually render it ineffective, even if an extraction tool is not yet available.

    It's a crazy Internet out there, but don't worry. With proper preparation, even 0-day threats are unlikely to harm your PC.

References

  • F-Secure News From the Lab: Duqu: Questions & Answers; November 3, 2011. http://www.f-secure.com/weblog/archives/00002264.html
  • SC Magazine: Duqu: Father, Son or Unholy Ghost of Stuxnet? http://www.scmagazineus.com/part-two-duqu-father-son-or-unholy-ghost-of-stuxnet/article/216362/

    About.com: Zero Day Exploits http://netsecurity.about.com/od/newsandeditorial1/a/aazeroday.htm

  • Image Credit: Rise Dream