According to a new study from Symantec, little has been known about the duration and prevalence of zero-day attacks, which exploit vulnerabilities that have not been disclosed publicly. Researchers have now uncovered that contrary to popular belief, most zero-day attacks affect a few hosts in targeted attacks, with the exception of a handful of high-profile attacks (e.g., the recent Java zero-day).
And, a typical zero-day attack tends to be active between 19 days and 30 months before being caught and handled by system administrators and software patches, with a median of 8 months and an average of approximately 10 months in duration.
“Knowledge of new vulnerabilities gives cybercriminals a free pass to attack any target of their choosing, while remaining undetected. Unfortunately, these serious threats are difficult to analyze, because, in general, data is not available until after an attack is discovered,” said report authors Leyla Bilge and Tudor Dumitras, from Symantec Research Labs. "Moreover, zero-day attacks are rare events that are unlikely to be observed in honeypots or in lab experiments.”
After vulnerabilities are disclosed, the volume of attacks exploiting them increases by up to five orders of magnitude. So, the real problems come after software vulnerabilities are disclosed, because cybercriminals, of course, watch closely for such information. Exploits for 42% of all vulnerabilities employed in host-based threats are detected in field data within 30 days after the disclosure date.
The two researchers identified 18 zero-day attacks between 2008 and 2011. Of those, 11 were previously undetected, so zero-day attacks are actually more frequent than previously thought, they noted.