Zero Day Exploits

Abstract

For several years, most news articles about a computer, network, or Internet-based compromise have mentioned the phrase "zero day exploit" or "zero day attack," but rarely do these articles define what this is. A zero day exploit is any attack that was previously unknown to the target or security experts in general. Many believe that the term refers to attacks that were just released into the wild or developed by hackers in the current calendar day. This is generally not the case. The "zero day" component of the term refers to the lack of prior knowledge about the attack, highlighting the idea that the victim has zero day's notice of an attack. The main feature of a zero day attack is that since it is an unknown attack, there are no specific defenses or filters for it. Thus, a wide number of targets are vulnerable to the exploit.

Sample

Zero day attacks have been discovered recently that are potentially at least seven years old. I'm specifically referencing the Flame or Skywiper discovered in early 2012. However, it is much more common for zero day exploits to have existed for months before discovery. Again, whenever you see the phrase zero-day exploits, keep in mind it just means a newly discovered, previously unknown attack, for which there is no defense at the time of discovery.

Once security researchers become aware of a new zero day exploit, they quickly develop detection and prevention measures in the process of their forensic analysis. These new detection and defense options are distributed and shared with the security community. Once organizations and individuals install updates or make configuration changes, they can be assured that their risk of compromise from that specific attack as been significantly reduced or eliminated. Once detection and defense is possible, then an exploit is not longer considered a zero day as there is now notification of its existence.

A search using the term "zero day" reveals numerous recent compromises and exploitations. In fact, this should be obvious as new attacks are by nature zero day. But since we often label the attack as a zero day exploit at the time of discovery and for a moderate period of time afterwards, that label is a useful term for tracking down the appearance of historical attacks.

In 2012, there have been several fairly significant discoveries of exploits and attacks that were labeled as zero day. These include:

 Flame/Skywiper is used for targeted cyber espionage against Middle Eastern countries
 An IE exploit that allows hackers to remotely install malware onto Windows systems running IE 7, 8, or 9
 A Java exploit that allows hackers to remotely install malware onto system running Java 5, 6, or 7

Exploit and Vulnerability Awareness Sites

To learn of more examples of zero day exploit discoveries, I recommend visiting a few sites on a regular basis.

 exploit-db.com
 cve.mitre.org
 us-cert.gov

Exploit Database (exploit-db.com) is a community driven notification site about newly discovered zero day attacks. What I like about this site, and which is unique to this site, is that in addition to disclosing the attack, it also provides access to the exploit itself. Most other vulnerability and exploit research sites do not provide you the actual attack code. I think this is an overlooked opportunity. When you have access to the exploit code, you can develop your own filter for the attack. You don't need to wait for a vendor to release a patch or a security vendor to update their tool's database; instead, you can add in your own detection filter and stop the attack.

The MITRE organization's Common Vulnerability and Exploit database (cve.mitre.org) is one of the better known collections of attack and compromise information and research. Perusing their collection will help you stay aware of recently discovered exploits and steps you can take to avoid compromise and reduce your vulnerability.

The US Cert site (us-cert.gov) is a US government-managed site with emphasis on providing security and exploit information to protect the nation's IT. Their mission is to provide information, promote awareness, and assist in protection preparations against all forms of compromise and abuse of computers and networking. I recommend signing up for their weekly bulletin which summaries the previous week's newly discovered exploits and vulnerabilities, but also provides references back to their main site as well as the CVE from MITRE.

If you visit these exploit and vulnerability awareness sites, you will notice that new zero day exploits are uncovered on a fairly consistent basis - daily. Malicious hackers across the globe (as well as security experts we perceive as being good guys) are writing new attack code with new exploits in an attempt to develop the next best computer weapon. They seek to compromise the most systems in the shortest amount of time, while gaining the most control, learning the most information, all while going without detection for as long as possible. It is a race and a battle of intelligence and creativity.

How Do Hackers Uncover New Vulnerabilities and Weaknesses?

A common question I hear from students is, "How does a hacking programmer learn about a flaw or vulnerability in the first place?" There are many ways by which new weaknesses or vulnerabilities are uncovered, but three are the most common: source code review, patch dissection, and fuzzy testing.