Zero-Day Malware Attacks You Can't Block

Malware for Money

The malware could be a "bot," for example, capable of forcing your PC to relay spam or participate in denial-of-service attacks that push Web sites offline. "It's a lot easier than knocking some old lady over the head and stealing her pocketbook," Marcus says. "It's very anonymous, and [a criminal could] do it from the safety and comfort of Starbucks."

Thanks to features such as improved scanning that doesn't rely on signatures, McAfee's antivirus and other security programs are becoming more nimble at protecting against unknown threats. And a wide array of new free and commercial programs supply proactive protection against zero-day assaults by limiting a successful attack's destructive power.

The right security setup can protect you 99 percent of the time, says Jeff Moss, who founded the annual BlackHat security conference. But targeted attacks can sometimes sneak through anyway. "You can go and buy a lot of firewalls and software and equipment," he says, "but if the right zero-day exists in the right component, it's almost like all that extra fanciness doesn't make a difference."

The most dangerous varieties of prepatch attackware permit drive-by downloads, where simply browsing a poisoned page or reading an infected HTML e-mail can trigger an invasion capable of stuffing your PC full of spyware, Trojan horses, or other malware. Between the end of 2005 and the end of 2006, online thugs used at least two such zero-day assaults to attack millions of people by exploiting holes in a rarely used Microsoft image format.

In the case of the HostGator debacle involving the Windows image flaw, the exploit took advantage of a long-unnoticed vulnerability in Internet Explorer's handling of the Vector Markup Language (VML), an infrequently used standard for creating 3D graphics.

The threat was first reported in September by security company Sunbelt Software, which found it on a pornographic Russian Web site. By itself, the hole was bad enough: If you browsed a site containing a booby-trapped image, you could be hit by a drive-by download. But opportunistic attackers recognized how to magnify the damage.

By targeting a second unknown hole in cPanel, a Web site management interface, crooks hijacked thousands of sites maintained by HostGator. Visitors to these legitimate but compromised Web sites were redirected to malicious sites that contained the VML exploit.

Microsoft products such as Internet Explorer, Office, and the Windows operating system itself are common targets of zero-day (and other) attacks, in part because they dominate the software landscape. But Microsoft's failure in the past to adequately integrate security into its product development has contributed to its products' status as popular (and easy) targets. Vista, on the other hand, is getting high marks for security, at least early on; see "Zero-Day Defense in Microsoft's New Operating System."

In 2006 alone, four different zero-day exploits attacked Internet Explorer 6, directly or indirectly. The year began with continuing attacks that capitalized on a flaw discovered in December 2005, in the Windows Metafile image format; the hole was in an underlying part of Windows that IE used to render a WMF image.

Once the attacks became publicly known, Microsoft first said that it would include a patch to fix the hole weeks later, as part of its normal patch cycle--but as exploits and the public outcry against them escalated, the company released an out-of-cycle fix in early January.

The patch didn't end the attacks, however, demonstrating that zero-day exploits can have long-term effects. Like the VML flaw, the Metafile exploit opened the door to drive-by-downloads, which criminals love because victims don't have to click an infected image to be hit. If you installed Microsoft's patch via Automatic Updates, you were fine. But clearly, many Windows users didn't.

In July a malicious banner ad for Deckoutyourdeck.com made its way onto sites like MySpace and Webshots via an ad distribution network serving thousands of sites. The malware hidden in the banner downloaded a Trojan horse onto victims' PCs, and it in turn installed adware and spyware. Informed observers put the number of victims--seven months after a patch was available--in the millions.