Software exploits, including zero-day attacks, appear to play a much smaller part in malware infections than previously thought, Microsoft’s latest Security Intelligence Report (SIRv11) has found.
The vast majority of malware infections detected by the company’s Malicious Software Removal Tool (MSRT) for the first half of 2011 depended either on user interaction or an abuse of the Windows AutoRun feature to infect PC, with these used in 44.8 percent and 26 percent of attacks respectively.
Surprisingly, despite the fear surrounding software exploits, attacks depending on these barely registered, recording just 5.6 percent of infections. More surprisingly still, under one percent of those turned out to use zero-day exploits, with not a single example of the most common malware types incorporating the method.
This is an unexpected finding. As Microsoft points out, zero day attacks are one of the most feared threat types because it appears to give the attacker the ability to compromise systems in a way that is impossible to quantify until it is too late.
Given the anxiety that surrounds them, what might account for the rarity of zero-day exploits?
The report authors carried out a more detailed analysis of the zero-day attacks they did detect, which amounted to 0.12 percent over the six month period as a whole, peaking at 0.37 percent in June.
Almost all of this detection was down to only two vulnerabilities, CVE-2011-0611 CVE-2011-2110, both affecting Adobe’s Flash Player, the latter when they are embedded in PDFs. The first exploit was patched by Adobe within a week while the second was not used by malware criminals on any scale until weeks after a patch had been issued.
The conclusions of this are that software companies (in this case Adobe) have become responsive to zero days and now patch them rapidly compared to times gone by. Second, malware writers aren’t able to exploit them fast enough for it to make any difference; by the time the exploit is included it is in all likelihood no longer a zero day.
Tellingly, Microsoft’s report suggests they probably don’t need zero days as much as some analyses have claimed. With so many other successful attack methods on offer such as AutoRun, which requires no user interaction, why trawl criminal forums to pay for zero days with a short shelf life?
The company admits that its methodology for detecting zero-day attacks might not notice those occurring in low volumes, such as would be the case in targeted attacks. Any that do occur above certain thresholds are quickly noticed and patched.
The authors end by arguing for the industry to move away from technical definitions of malware (is it a virus, a worm or a Trojan?) to “taxonomies” based on the method of propagation.
“Many of the de facto standards that security professionals use were originally formulated when the threat landscape was very different than it is today,” say the authors.
In this system, ‘social engineering’ would be one heading, regardless of the underlying technical means used, as would exploits based on patched or unpatched vulnerabilities.
“SIRv11 provides techniques and guidance to mitigate common infection vectors, and its data helps remind us that we can’t forget about the basics,” said the Malware Protection Center’s general manager, Vinny Gullotto. “Techniques such as exploiting old vulnerabilities, Win32/Autorun abuse, password cracking and social engineering remain lucrative approaches for criminals.”