Zero-Day Malware Attacks You Can't Block

Browser Patch Delays

But in updating browsers--especially when a zero-day attack was in progress--Microsoft trailed Apple, Mozilla, and Opera in providing fixes. On average, IE patches appeared ten days after the flaw was reported, while Opera, Mozilla, and Safari browsers were patched, on average, in two, three, and five days, respectively. (For a timeline that tracks the zero-day VML attack and patch cycle, see "A Zero-Day Attack Marches On.")

Adam Shostack, a program manager for Microsoft's security development life-cycle team, says that sometimes a longer time frame is only to be expected, given the complexity of Microsoft's user base.

"We have to test security updates to make sure they will work with 28 different languages and every OS that supports the application," Shostack says. "We really work to balance quality with speed."

Security software helps protect against unknown threats during the dangerous interval that separates an initial attack from the release of an effective patch, but traditional antivirus programs rely on having an identified signature for an attack in order to guard against it. This pits malware writers against security companies in a constant cat-and-mouse game, with malicious hackers sending out a steady stream of designer Trojan horses and the like that they have tweaked just enough to defeat signature recognition.

Heuristics and behavior-based analysis can move beyond this evolutionary pattern to give security programs an edge. Such scans use algorithms, rather than signatures, to look for abnormal behavior or files. Heuristic analysis checks the contents of potential malware for things such as a suspect method of working with memory. Behavioral analysis, meanwhile, watches programs for conduct typical of malware (such as starting an e-mail relay server), trying to identify unwanted interlopers by what they do rather than by what they contain.

Today most major antivirus products incorporate one or both types of analysis. Last year, PC World tests that used one-month-old signatures yielded success rates of between 20 and 50 percent.

Heuristics and behavior analysis are susceptible to false positives, though. A security program may not be able to distinguish between a keylogger and a game that asks for direct access to the keyboard to shorten response time. As a result, the security software may needlessly bother a user with pop-up alerts and questions.

"If the right zero-day exists...it's almost like all that extra [security] doesn't make a difference."  --Jeff Moss, BlackHat conference founder
Photograph: Brian Smale
BlackHat's Jeff Moss estimates that this kind of detection won't be genuinely useful on its own for another five years. "The false positive and false negative rates are too high. Everyone is coming up with novel ways of detecting misuse; but as soon they try to deploy it, users revolt."

Subscribe to the Security Watch Newsletter

Comments