Welcome to Day Zero

June 25, 2004

A “Zero Day Exploit” is essentially an attack on a computer that comes before a patch or other remedy could have been installed to fix it.  In other words, it can’t be put down to a lack of prevention, not keeping the OS updated, not keeping antivirus software up-to-date, etc. 

It just happens.

I was at a client’s office the other day, and one of their workstations showed massive signs of infection; I tried a few quick cleanup things on it, with no great luck, and ended up working on the machine back at my office.

What I found, and what I learned, wasn’t pretty—it was a piece of “malware” (malicious software—whether it’s spyware, a virus, a trojan or whatever else) that nothing seemed able to remove…

The machine was so compromised that no cleanup measures would run on it; I pulled the drive and mounted it (not as a boot drive) on another machine, cleaned up what I could that way (although this didn’t allow registry checks, etc.) and remounted it back on the original machine, which could now boot stable enough to run security tools.

AdAware identified the core offender (which was either installing a lot of other stuff, or allowing it to be installed), and claimed to remove it, but it was there again on a re-scan.  Spybot Search and Destroy had the same problem.  Norton Antivirus had its LiveUpdate disabled, but with a manual update of fresh definitions, it didn’t even see it.

Researching it, I found a lot of people re-formatting and re-installing in order to get rid of it, which is an approach, but maybe not the best—if you can’t remove it, and don’t know how to prevent it, how often are you going to reinstall XP? 

Eventually, I found enough information to manually edit it out of the registry in safe mode, and then remove the offending files.

What I learned along the way, however is pretty ugly—it’s not getting much press so far, but apparently a number of major websites have been compromised.  These aren’t just iffy backwater sites, but many extremely popular and high-traffic’ed sites, including major corporations, banks, etc. 

These compromised sites exploit unpatched security holes in Internet Explorer to install software on the visitor’s machine.  Not only is this a zero day exploit, but the nature of how the sites have been compromised appears to be too—currently, no one seems to be able to figure out how this is happening.

If that isn’t ugly enough, preventing it may be even worse for many users.  Although XP’s “Service Pack 2” (now in beta) appears to solve it, at the moment, Microsoft’s standard advice is essentially to set security in Internet Explorer so high that many sites will not run properly.  They advise you to add any such sites to “trusted sites”, but how do you trust a site to not be compromised if no one can figure out how it’s happening yet?  You also have to manually add Windows Update and Office Update to the trusted sites list, or you won’t be able to get security updates from them.  They also offer a popup blocker, although I’d recommend the Google Toolbar instead of theirs.

Another site, Secunia, advises users to increase security settings, filter possible exploits using a proxy server, or use a different browser.

What I finally did on the client’s machine (after getting it clean) was to set IE’s security as suggested, and install Mozilla Firefox 0.9.  I imported the settings, bookmarks and passwords from IE, and set Firefox as the default browser.  I also added several extensions—the Googlebar, which approximates the Google Toolbar’s functionality (beyond basic search and popup blocking, which are already built-in), and “View in IE”, which lets you open the current page in (the now more secured) IE, if it just doesn’t work properly on FireFox.

It’s far from an ideal solution.  Firefox may or may not be written “more securely” than IE, but the fact is that at the moment, the problems are targeting IE.  If you can’t make them stop shooting at you, at least present a smaller target.  Also, there are still plenty of sites that don’t work fully properly in FireFox—with problems ranging from “stuff looks odd” to “you just aren’t going to use it”.  This leaves IE as the only resort in those cases, and the high security settings may be a problem on those same sites—or it may not be enough to protect you.

But that’s about as good as it gets right now, and if you’re running Windows and IE, I heartily suggest you do something similar. 

Don’t forget about mail, either.  If your mail will display an HTML message, you’re just as vulnerable there (that HTML message is essentially running in IE).  Microsoft’s advisory shows how to limit Outlook Express and Outlook to Plain Text, but a better solution (albeit expensive) is probably to use Outlook 2003; it will block HTML unless you tell it specifically that a message is okay to display (or that the sender should always be treated as safe).

Which is all fine and good, but what about the rest of the world?

The fact is that most casual Windows users are probably not going to see this or anything like it, and are not going to install FireFox.

They most definitely are not likely to go edit their registry in safe mode to remove malware. 

Let’s forget for a moment the completely clueless, who aren’t running any antivirus and aren’t running Windows update—the user who is “doing everything right” by current standards is still vulnerable and likely to get hit by this, and end up with either a broken computer or yet another spam factory in the army of zombied machines. 

Maybe I’m overreacting, but at the moment, that poor guy looks doomed. 

Sure, sooner or later we’ll see a patch for this (and for the webservers that are propagating it), and the antivirus/antispyware software will deal with it.  But how will that help the guy who’s machine won’t even boot stable enough to run the fix? 

It also won’t solve the problem in the meantime. 

Worse, if this is a sign of the way it’s going to be—if this is just a foreshadowing of the way these things are going—we’re going to need a damn site better approach than “patch it later” to deal with things from here out.

Be Sociable, Share!


3 Responses to “Welcome to Day Zero”

  1. Terry Finnegan on July 2nd, 2004 8:50 am

    Hello Chuck

    Came across your web site regarding “Day Zero”.  Well written, to the point, and speaks layman language.  I am looking at the spectrum of scenarios that will reflect on “Day Zero” possibilities. 

    Glad to keep in touch if you want to brainstorm.


  2. Chuck Lawson on July 2nd, 2004 4:08 pm

    Hi Terry;

    Thanks for the comment. Yes, I think this is going to take a fair amount of brainstorming on everyone’s part.

    As for the scenario above, in the last week they found that it was a known (and patchable) bug in IIS that was allowing the sites to be compromised, and there is apparently a patch coming out for IE for the zero-day exploit there.

    Which is all fine and good, but my concerns are now ranging a little further afield.

    Among other things, I’m in the webhosting business, and a significant amount of our time is spent in keeping things patched and as secure as we can learn how.

    Zero-day exploits start to put things in a different light, however.  In addition to thinking about “how do we prevent an exploit”, we really need to start thinking about “what do we do if we’re compromised anyway?”.  Taken from a standpoint of “sooner or later, somebody is getting in”, what do you do to mitigate damage?

    What data REALLY needs to be on that server, and for how long?

    How much access does root on one server require on another server?

    How many levels of on and off-site backup are there?  How fast can you deploy restores?

    Unfortunately, this is the kind of thing we need to start thinging about.

    It needs to be thought about on the user platform too.  Assuming you do everything right, and your machine still gets compromised, what do you do then?  How have you secured sensitive data?  Which pieces of sensitive data REALLY need to be online on your machine all the time?  How are you backed up?  How recent is your offsite backup?  How do you KNOW there isn’t a key logger grabbing that credit card number?  How often do you check your bank transactions for spurious transactions?

    These are all important issues, and sooner or later, everybody is going to have to face them, or get burned.

    Another one that’s been kicking around for awhile now is “just what do you do via Wi-Fi?” Wi-fi in public may well be getting sniffed.  Wi-fi at home or in the office may be getting sniffed too. If you don’t do everything using encrypted tunnels, you are at risk.

    Do you check your e-mail?  Do you send passwords in the clear? (if you don’t know, then you probably do).  If you do, is your e-mail password the same as any other password you use?  How much damage could an intruder do if they got access to your e-mail?

    Do you FTP? Same issue there if you’re not using Secure http://FTP.  This may include software that uploads pictures to your website, and possibly blog posting software.

    It’s time to batten down the hatches…

  3. Peter da Silva on August 15th, 2004 4:24 pm

    You write: “It’s far from an ideal solution.”

    The ideal solution would be for Microsoft to make Intenet Explorer a standalone component. They can keep the HTML rendering engine in the OS, but it should simply be an HTML rendering engine: all access to resources required by the HTML page (includingembedded objects, images and links) should remain the responsibility of the program that’s doing the rendering. It’s the only one in a position to know whether the data is to be trusted with things like internal helper applications or not. There’s no game that IE can play with “zones” and “trusted sites” that will resolve that problem: in fact playing games to trick IE or Outlook (another program you should avoid, for the same reasons) as to the security restrictions it should apply is the biggest problem.

    So the real problem isn’t so much that Firefox is written “more securely” than IE (I suspect it is, because it doesn’t trust anything), it’s that Firefox is a standalone application that doesn’t have its fingers in the system to nearly as great a degree, so there’s fewer opportunities for failure.

    Ideally, the “Internet Explorer” front end would simply not provide a mechanism to do things like installing software, that would only be in the “Windows Update” front end.

    So in the end, you would only be using Internet Explorer on websites, and other specialised front ends like Windows Explorer and some kind of Software Update application where IE’s newly tight security was unnecessary and inappropriate.

    But until that happens, the solution is simply to only use IE when you absolutely have to. Which is, after all, not so much different.

Got something to say? [privacy policy]

You must be logged in to post a comment.