Zero-Day Attack

What Is a Zero-Day Attack?

A zero-day attack (also referred to as Day Zero) is an attack that exploits a potentially serious software security weakness that the vendor or developer may be unaware of. The software developer must rush to resolve the weakness as soon as it is discovered in order to limit the threat to software users. The solution is called a software patch. Zero-day attacks can also be used to attack the internet of things (IoT).

A zero-day attack gets its name from the number of days the software developer has known about the problem.

Understanding a Zero-Day Attack

A zero-day attack can involve malware, adware, spyware, or unauthorized access to user information. Users can protect themselves against zero-day attacks by setting their software — including operating systems, antivirus software, and internet browsers — to update automatically and by promptly installing any recommended updates outside of regularly scheduled updates.

That being said, having updated antivirus software will not necessarily protect a user from a zero-day attack, because until the software vulnerability is publicly known, the antivirus software may not have a way to detect it. Host intrusion prevention systems also help to protect against zero-day attacks by preventing and defending against intrusions and protecting data.

Think of a zero-day vulnerability as an unlocked car door that the owner thinks is locked but a thief discovers is unlocked. The thief can get in undetected and steal things from the car owner’s glove compartment or trunk that may not be noticed until days later when the damage is already done and the thief is long gone.

While zero-day vulnerabilities are known for being exploited by criminal hackers, they can also be exploited by government security agencies who want to use them for surveillance or attacks. In fact, there is so much demand for zero-day vulnerabilities from government security agencies that they help to drive the market for buying and selling information about these vulnerabilities and how to exploit them.

Zero-day exploits may be disclosed publicly, disclosed only to the software vendor, or sold to a third party. If they are sold, they can be sold with or without exclusive rights. The best solution to a security flaw, from the perspective of the software company responsible for it, is for an ethical hacker or white hat to privately disclose the flaw to the company so it can be fixed before criminal hackers discover it. But in some cases, more than one party must address the vulnerability to fully resolve it so a complete private disclosure may be impossible.

Markets for Zero-Day Attacks

In the dark market for zero-day information, criminal hackers exchange details about how to break through vulnerable software to steal valuable information. In the gray market, researchers and companies sell information to militaries, intelligence agencies, and law enforcement. In the white market, companies pay white hat hackers or security researchers to detect and disclose software vulnerabilities to developers so they can fix problems before criminal hackers can find them.

Depending on the buyer, the seller, and the usefulness, zero-day information might be worth a few thousand to several hundred thousand dollars, making it a potentially lucrative market to participate in. Before a transaction can be completed, the seller should provide a proof-of-concept (PoC) to confirm the zero-day exploit’s existence. For those who want to exchange zero-day information undetected, the Tor network allows for zero-day transactions to be conducted anonymously using Bitcoin.

Zero-day attacks may be less of a threat than they sound like. Governments may have easier ways to spy on their citizens and zero-days may not be the most effective way to exploit businesses or individuals. An attack must be deployed strategically and without the target’s knowledge to have maximum effect. Unleashing a zero-day attack on millions of computers at once could reveal the vulnerability’s existence and get a patch released too quickly for the attackers to accomplish their ultimate goal.

Real World Example

In April 2017, Microsoft was made aware of a zero-day attack on its Microsoft Word software. The attackers used a malware called Dridex banker trojan to exploit a vulnerable and unpatched version of the software. The trojan allowed the attackers to embed malicious code in Word documents which automatically got triggered when the documents were opened. The attack was discovered by antivirus vendor McAfee which notified Microsoft of its compromised software. Although the zero-day attack was unearthed in April, millions of users had already been targeted since January.