Attacks exploiting unreported vulnerabilities, commonly called zero-day attacks, are both more numerous and more stealthy than previously thought, according to an academic paper released this week by two researchers at security firm Symantec.
Using data from millions of actual computer systems, the researchers found evidence of 18 zero-day attacks that occurred in the last four years, 11 of which had not been previously reported. The attacks occurred well before the exploited vulnerability was publicly reported—from 19 days to 30 months prior to reports—with an average of 312 days, the researchers stated in a paper presented Oct. 18 at the 19th ACM Conference on Computer and Communications Security.
"There is all this work trying to measure the duration of zero-day attacks using the creation dates of the public proof-of-concept [exploits]," said Tudor Dumitras, senior research engineer at Symantec Research Labs and a co-author of the paper. "We asked, 'Can we actually look at the exploits that are actively used in attacks in the real world?' And that is what we did in the study."
Dumitras and his colleague Leyla Bilge used three sources of data: Vulnerability data from different sources and telemetry from 11 million systems that opted into either or both of Symantec's antivirus products and its reputation engine for binary executables.
The researchers first matched known attacks with the vulnerabilities, if any, exploited by the malicious programs used in the attacks between 2008 and 2011. The researchers then correlated each exploit with malicious binary executables, those used in attacks and those downloaded after a successful attack, in order to link attacks with vulnerabilities. The researchers searched the Internet for any mention of the exploit to search for when they were first reported, which allowed them to identify zero-day attacks.
In the end, the researchers discovered 18 zero-day attacks, which falls short of the 43 zero-day attacks cataloged by security firms in the same time period, but 11 of the zero-day attacks were completely new, the paper stated.
The research is interesting because it gives security professionals an idea of the number of zero-day threats out there that are still undiscovered, says Wolfgang Kandek, chief technology officer for cloud security firm Qualys.
"I believe that the number that the researchers found is on the low side, because their research was limited by a number of technical restrictions," he said.
Indeed, the researchers themselves pointed out that a number of weaknesses in their system meant that they were finding a specific class of zero-days—attacks that use executable binaries. For example, attacks that hide exploits in data files—such as Office documents or Adobe Flash files—could only be caught if the malicious components installed on the victim's system were identified by Symantec's software.
A better question to answer would be how does the adoption of zero-day exploits by cyber-criminals compare with the adoption of exploits for patches disclosed normally, Qualys's Kandek said.
"Is it really the zero-day owner who is responsible for such a spike, or are there competing groups that throw their own analysis effort behind a vulnerability like that, given that they already know a working exploit can be developed," he said.