Zero-day exploits rarely used by criminals, Microsoft finds

Criminals have easier attack methods, says latest analysis

Software exploits, including zero-day attacks, appear to play a much smaller part in malware infections than previously thought, Microsoft's latest Security Intelligence Report (SIRv11) has found.

The vast majority of malware infections detected by the company's Malicious Software Removal Tool (MSRT) for the first half of 2011 depended either on user interaction or an abuse of the Windows AutoRun feature to infect PC, with these used in 44.8 percent and 26 percent of attacks respectively.

Surprisingly, despite the fear surrounding software exploits, attacks depending on these barely registered, recording just 5.6 percent of infections. More surprisingly still, under one percent of those turned out to use zero-day exploits, with not a single example of the most common malware types incorporating the method.

This is an unexpected finding. As Microsoft points out, zero day attacks are one of the most feared threat types because it appears to give the attacker the ability to compromise systems in a way that is impossible to quantify until it is too late.

Given the anxiety that surrounds them, what might account for the rarity of zero-day exploits?

The report authors carried out a more detailed analysis of the zero-day attacks they did detect, which amounted to 0.12 percent over the six month period as a whole, peaking at 0.37 percent in June.

Almost all of this detection was down to only two vulnerabilities, CVE-2011-0611 CVE-2011-2110, both affecting Adobe's Flash Player, the latter when they are embedded in PDFs. The first exploit was patched by Adobe within a week while the second was not used by malware criminals on any scale until weeks after a patch had been issued.

The conclusions of this are that software companies (in this case Adobe) have become responsive to zero days and now patch them rapidly compared to times gone by. Second, malware writers aren't able to exploit them fast enough for it to make any difference; by the time the exploit is included it is in all likelihood no longer a zero day.

Tellingly, Microsoft's report suggests they probably don't need zero days as much as some analyses have claimed. With so many other successful attack methods on offer such as AutoRun, which requires no user interaction, why trawl criminal forums to pay for zero days with a short shelf life?

The company admits that its methodology for detecting zero-day attacks might not notice those occurring in low volumes, such as would be the case in targeted attacks. Any that do occur above certain thresholds are quickly noticed and patched.

The authors end by arguing for the industry to move away from technical definitions of malware (is it a virus, a worm or a Trojan?) to "taxonomies" based on the method of propagation.

"Many of the de facto standards that security professionals use were originally formulated when the threat landscape was very different than it is today," say the authors.

In this system, 'social engineering' would be one heading, regardless of the underlying technical means used, as would exploits based on patched or unpatched vulnerabilities.

"SIRv11 provides techniques and guidance to mitigate common infection vectors, and its data helps remind us that we can't forget about the basics," said the Malware Protection Center's general manager, Vinny Gullotto. "Techniques such as exploiting old vulnerabilities, Win32/Autorun abuse, password cracking and social engineering remain lucrative approaches for criminals."

Join the CSO newsletter!

Error: Please check your email address.

Tags Personal TechMicrosoftsecurity

More about Adobe SystemsMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place