Welcome to Day Zero
June 25, 2004
A “Zero Day Exploit” is essentially an attack on a computer that comes before a patch or other remedy could have been installed to fix it. In other words, it can’t be put down to a lack of prevention, not keeping the OS updated, not keeping antivirus software up-to-date, etc.
It just happens.
I was at a client’s office the other day, and one of their workstations showed massive signs of infection; I tried a few quick cleanup things on it, with no great luck, and ended up working on the machine back at my office.
What I found, and what I learned, wasn’t pretty—it was a piece of “malware” (malicious software—whether it’s spyware, a virus, a trojan or whatever else) that nothing seemed able to remove…
The machine was so compromised that no cleanup measures would run on it; I pulled the drive and mounted it (not as a boot drive) on another machine, cleaned up what I could that way (although this didn’t allow registry checks, etc.) and remounted it back on the original machine, which could now boot stable enough to run security tools.
AdAware identified the core offender (which was either installing a lot of other stuff, or allowing it to be installed), and claimed to remove it, but it was there again on a re-scan. Spybot Search and Destroy had the same problem. Norton Antivirus had its LiveUpdate disabled, but with a manual update of fresh definitions, it didn’t even see it.
Researching it, I found a lot of people re-formatting and re-installing in order to get rid of it, which is an approach, but maybe not the best—if you can’t remove it, and don’t know how to prevent it, how often are you going to reinstall XP?
Eventually, I found enough information to manually edit it out of the registry in safe mode, and then remove the offending files.
What I learned along the way, however is pretty ugly—it’s not getting much press so far, but apparently a number of major websites have been compromised. These aren’t just iffy backwater sites, but many extremely popular and high-traffic’ed sites, including major corporations, banks, etc.
These compromised sites exploit unpatched security holes in Internet Explorer to install software on the visitor’s machine. Not only is this a zero day exploit, but the nature of how the sites have been compromised appears to be too—currently, no one seems to be able to figure out how this is happening.
If that isn’t ugly enough, preventing it may be even worse for many users. Although XP’s “Service Pack 2” (now in beta) appears to solve it, at the moment, Microsoft’s standard advice is essentially to set security in Internet Explorer so high that many sites will not run properly. They advise you to add any such sites to “trusted sites”, but how do you trust a site to not be compromised if no one can figure out how it’s happening yet? You also have to manually add Windows Update and Office Update to the trusted sites list, or you won’t be able to get security updates from them. They also offer a popup blocker, although I’d recommend the Google Toolbar instead of theirs.
What I finally did on the client’s machine (after getting it clean) was to set IE’s security as suggested, and install Mozilla Firefox 0.9. I imported the settings, bookmarks and passwords from IE, and set Firefox as the default browser. I also added several extensions—the Googlebar, which approximates the Google Toolbar’s functionality (beyond basic search and popup blocking, which are already built-in), and “View in IE”, which lets you open the current page in (the now more secured) IE, if it just doesn’t work properly on FireFox.
It’s far from an ideal solution. Firefox may or may not be written “more securely” than IE, but the fact is that at the moment, the problems are targeting IE. If you can’t make them stop shooting at you, at least present a smaller target. Also, there are still plenty of sites that don’t work fully properly in FireFox—with problems ranging from “stuff looks odd” to “you just aren’t going to use it”. This leaves IE as the only resort in those cases, and the high security settings may be a problem on those same sites—or it may not be enough to protect you.
But that’s about as good as it gets right now, and if you’re running Windows and IE, I heartily suggest you do something similar.
Don’t forget about mail, either. If your mail will display an HTML message, you’re just as vulnerable there (that HTML message is essentially running in IE). Microsoft’s advisory shows how to limit Outlook Express and Outlook to Plain Text, but a better solution (albeit expensive) is probably to use Outlook 2003; it will block HTML unless you tell it specifically that a message is okay to display (or that the sender should always be treated as safe).
Which is all fine and good, but what about the rest of the world?
The fact is that most casual Windows users are probably not going to see this or anything like it, and are not going to install FireFox.
They most definitely are not likely to go edit their registry in safe mode to remove malware.
Let’s forget for a moment the completely clueless, who aren’t running any antivirus and aren’t running Windows update—the user who is “doing everything right” by current standards is still vulnerable and likely to get hit by this, and end up with either a broken computer or yet another spam factory in the army of zombied machines.
Maybe I’m overreacting, but at the moment, that poor guy looks doomed.
Sure, sooner or later we’ll see a patch for this (and for the webservers that are propagating it), and the antivirus/antispyware software will deal with it. But how will that help the guy who’s machine won’t even boot stable enough to run the fix?
It also won’t solve the problem in the meantime.
Worse, if this is a sign of the way it’s going to be—if this is just a foreshadowing of the way these things are going—we’re going to need a damn site better approach than “patch it later” to deal with things from here out.