A Q&A with Greg Wasson of ICSA Labs
The term zero-day malware refers to threats that take advantage of existing but unknown (to the owner or developer) loopholes in the system. I spoke to Greg Wasson, program manager at ICSA Labs, about zero-day vulnerabilities and the risks they pose for companies.
The reason they are hard to detect is because they are constantly changing so that antivirus solution vendors have a hard time keeping pace.
What’s new in the world of zero-day malware?
While there seems to be a lot of “new” malware that comes out every day the reality is that the people who are writing it are just taking what’s already out there and making small changes, to change the fingerprint. But the bottom line is that the techniques hackers use haven’t changed in years. Typically, it’s an executable—a link or a file that’s sent around and once the user clicks on it, the malware infects their computer. They use simple social engineering tricks to make the executable look like a .pdf or .mp3 file by changing the icon.
What makes zero-day more challenging to prevent/detect?
Software development as a rule is not perfect so there will always be these vulnerabilities, but whether they can be exploited to install a back door or malicious code on a machine is another issue. When it comes to who will find your zero-day vulnerabilities, it can sometimes be hard to differentiate between bad guys and the government, because both are actively looking for them. However, there are situations in which a researcher will discover the vulnerability and give what’s called “responsible disclosure” and privately notify the owner so they have time to fix it. Right now, there’s a large market for information—the government is willing to pay large amounts of money about zero days. The reason they are hard to detect is because they are constantly changing so that antivirus solution vendors have a hard time keeping pace.
Is there any malware that you consider particularly worrisome?
Certainly, we are concerned about the new ransomware such as CryptoLocker, which encrypts your critical files and pretty much puts you at the mercy of the malware author. Unless you have good backups of your files, you will have to pay them and hope the attacker will actually unlock your files—and in some cases, that doesn’t happen.
What can a forward-leaning organization do to mitigate this risk exposure
The number one thing is to make sure you have good backups for your systems. Be diligent about the files you open via email. If you are not expecting a file from a particular person and you get something, pick up the phone and ask them before you open it. These attackers do quite a bit of work to make sure these files or links look interesting to you and they may keep trying until you click—you only have to click once. Look closely at the extensions on files people send you before you open them—if they look like they have been modified, for instance with spaces after the initial .PDF or other extension, then don’t click on it. The attackers have a lot of simple tricks like this, and they are counting on the fact that you are not aware of them.
It seems like we have been talking about zero-day attacks for 16 years or so within the insurance community, and it’s still very much on the mind of the cyber liability insurance carriers. As Mr. Wasson mentioned, the attackers often still rely on exploiting human weaknesses (e.g., clicking on malicious links or files sent in emails), a threat that will no doubt continue as long as users click on impulse. Also related to this topic is our Junto interview with Ramon Peypoch of McAfee.