Zero-Day Attacks Escape Detection for Nearly a Year: Symantec Study
Attacks using undisclosed "zero-day" vulnerabilities remain hidden for anywhere from 19 days to 30 months, according to new research that found 11 previously undetected attacks.Attacks exploiting unreported vulnerabilities, commonly called zero-day attacks, are both more numerous and more stealthy than previously thought, according to an academic paper released this week by two researchers at security firm Symantec. Using data from millions of actual computer systems, the researchers found evidence of 18 zero-day attacks that occurred in the last four years, 11 of which had not been previously reported. The attacks occurred well before the exploited vulnerability was publicly reported—from 19 days to 30 months prior to reports—with an average of 312 days, the researchers stated in a paper presented Oct. 18 at the 19th ACM Conference on Computer and Communications Security. "There is all this work trying to measure the duration of zero-day attacks using the creation dates of the public proof-of-concept [exploits]," said Tudor Dumitras, senior research engineer at Symantec Research Labs and a co-author of the paper. "We asked, 'Can we actually look at the exploits that are actively used in attacks in the real world?' And that is what we did in the study." Dumitras and his colleague Leyla Bilge used three sources of data: Vulnerability data from different sources and telemetry from 11 million systems that opted into either or both of Symantec's antivirus products and its reputation engine for binary executables.
The researchers first matched known attacks with the vulnerabilities, if any, exploited by the malicious programs used in the attacks between 2008 and 2011. The researchers then correlated each exploit with malicious binary executables, those used in attacks and those downloaded after a successful attack, in order to link attacks with vulnerabilities. The researchers searched the Internet for any mention of the exploit to search for when they were first reported, which allowed them to identify zero-day attacks.