Zero-day exploits used in attacks may be long lasting, sometimes remaining on infected systems for more than two years, but the dangerous threat is typically used in highly targeted attacks making widespread impact a rare occurrence, according to a scientific study released this week.
This represents the first attempt to measure the prevalence and duration of zero-day attacks, as well as the impact of vulnerability disclosure on the volume of attacks observed.
Leyla Bilge and Tudor Dumitras, Symantec Research Labs
The analysis, "Before we knew it: An empirical study of zero-day attacks In the real world"(.pdf). conducted by Symantec researchers Leyla Bilge and Tudor Dumitras, examined zero-day exploits over a four year period from 2008 to 2011. It concluded that the security industry may have been underestimating the duration of zero-day attacks.
"To the best of our knowledge, this represents the first attempt to measure the prevalence and duration of zero-day attacks, as well as the impact of vulnerability disclosure on the volume of attacks observed," according to the study. "While the average duration is approximately 10 months, the fact that all but one of the vulnerabilities disclosed after 2010 remained unknown for more than 16 months suggests that we may be underestimating the duration of zero-day attacks, as the data we analyze goes back only to February 2008."
Once a zero-day flaw is publicly disclosed the attack volume increases significantly increasing the likelihood of an infection, the researchers found. The analysis identified 18 vulnerabilities exploited in the wild before their disclosure. The researchers scoured through data collected on 11 million Windows systems to analyze the information.
"One reason for observing large number of new different files that exploit the zero-day vulnerabilities might be that they are repacked versions of the same exploits. However, it is doubtful that repacking alone can account for an increase by up to 5 orders of magnitude," according to the paper. "More likely, this increase is the result of the extensive re-use of field-proven exploits in other malware"
The study suggests that there may be more zero-day exploits than previously thought. The researchers said 60% of the zero-day vulnerabilities identified in the study were not known before. The good news, according to the study is that "reputation-based technologies, which assign a score to each file based on its prevalence in the wild and on a number of other inputs, single out rare events such as zero-day attacks and can reduce the effectiveness of the exploits."
The researchers also acknowledged that some zero-day exploits are an exception to the findings. Conficker infected millions of systems and Stuxnet was detected on thousands of machines before the vulnerability disclosure.
Study fans flames of full disclosure debate
The study found that full public disclosure of vulnerabilities causes significant risk to end users, but also gets vendors to increase the priority of the vulnerability needing patching. The study found that 80% of the 2007 vulnerabilities were discovered more than 30 days before the disclosure date. Making matters worse, even after a patch is released, too many update mechanisms slow the deployment of patches for Windows users, according to the study.
Attackers are taking advantage of the patch deployment delay. The study cited the RSA SecurID breach in 2010, in which the exploit was detected being used "against 15 different organizations in the two weeks leading to the vulnerability's disclosure, in an attempt to exploit is as much as possible before it was discovered and patched."
"Additional research is needed for quantifying these aspects of the full disclosure trade-off, e.g., by measuring how quickly vulnerable hosts are patched in the field, following vulnerability disclosures," the researchers said.
Automated collection missed some zero-day exploits
The study uncovered inaccuracies in Symantec's annual Internet Threat Report, in which the antivirus vendor listed the known zero-day vulnerabilities it believed was in the wild. The firms' automated collection system missed up to 24 known zero-day's over the four year period, according to the study. The Symantec researchers said the automated detection method missed 3 known zero-day vulnerabilities each year, because it was limited to recording host-based attacks. "To detect web-based attacks, e.g. cross-site scripting attacks, we would need to analyze network based intrusion-detection data," the researchers said.
Polymorphic malware, which constantly changes to avoid detection also evaded Symantec's collection process. Zero-day exploits embedded in non-executable files also evaded the system. The researchers also said that some zero-day exploits are far too targeted to be detected by its automated collection system.