Often you’ll see antivirus products, firewall vendors, and other security products claiming to stop “zero day vulnerabilities” or “zero day threats”. But what does zero day vulnerability mean?
Before we dive into that, there are a few other terms we need to understand.
What is malware?
Malware is short for “malicious software,”. It is software that is specifically designed to damage, disrupt, steal, or in general inflict some other “bad” or illegitimate action on data, hosts, or networks.
There are various classes of malware, some of which are listed below.
A computer virus is a type of malware that spreads by inserting a copy of itself into and becoming part of another program. It spreads from one computer to another, leaving infections as it travels. Viruses spread when the software or document they are attached to is transferred from one computer to another using the network, a disk, file sharing, or infected email attachments.
Computer worms are similar to viruses in that they replicate functional copies of themselves and can cause the same type of damage. In contrast to viruses, which require the spreading of an infected host file, worms are standalone software and do not require a host program or human help to propagate. To spread, worms exploit a vulnerability on the target system.
A Trojan is another type of malware named after the wooden horse that the Greeks used to infiltrate Troy. It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems. After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops) to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses). Trojans are also known to create backdoors to give malicious users access to the system. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Trojans must spread through user interaction such as opening an email attachment or downloading and running a file from the Internet.
A malicious bot is self-propagating malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or “botnet.” With a botnet, attackers can launch flood-type attacks against their target(s), effectively using innocent computers as their private army.
Ransomware is a type of malicious software which encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.
Virus definitions vs zero day
There is a lot of known malware out there, and more being released every day. These are all stored in a regularly updated virus definition – basically, a huge database of all known malware.
Zero day threats are malware that we don’t know about yet – they’ve been invented today, and there are no patches for them yet.
So, how do we defend against that?
If we think of your computer as a night club, and your threat prevention mechanisms as a bouncer, it’s easy to draw parallels to how all of this can pull together.
Everyone coming into the night club is checked against the virus definition list. If their name is in the list, they aren’t coming in.
Heuristics are behaviours, expected of malware. If a guest turns up at a night club in tracksuit bottoms, white trainers and a baseball cap on backwards, it’s probably malware so it isn’t coming in. This can lead to false positives, though most products are pretty good at this.
Sandboxing is sometime referred to as “malware detonation”, in catchy marketing lingo. What is means is that we let the guests into a smaller night club, but without telling them – and let them run around for a bit, while we monitor what they do. If they behave themselves, we let them through to the proper nightclub.
There is lots of jargon associated with IT security – this is just scratching the surface! Mostly, it’s just about protecting the “good stuff” from the “bad stuff”.
As you can see, there are many ways for malware to get into your systems, and more ways are being invented every day, as the bad guys try to circumvent current protections. It’s important to have multiple layers of security, and not just rely on one product or vendor to protect yourselves. Every vendor has different proprietary methods of discovering and protecting you from malware. A good security architecture would use a number of these, to create multiple lines of defence.