Zero-day malware

Igor Muttik McAfee

The term 'zero-day' came from vulnerability research, but it is now widely used for malware, too. Wikipedia defines 'zero-day virus' as 'a previously unknown computer virus or other malware for which specific anti-virus software signatures are not yet available'. Of course, this is just silly - nearly all contemporary malware is zero-day according to this definition!

It is easy for any malware writer to obtain a security product and test that his or her creation is not going to be detected. There are many underground web portals offering cross-scanning services - they even include email notifications whenever detections are implemented by any of the AV products. Thus, only a very lazy or careless malware writer would not be able to build a zero-day piece of malware. The fact that zero-day exploitation of vulnerabilities is now widely used to deploy malware blurs the term even further.

Fortunately, streaming updates and cloud-based security protection redefine the zero-dayness for malware. Bad guys can no longer predict the security reaction because, even though it may not be proactive, it can still essentially be instantaneous. With a global security cloud, even a truly novel piece of malware may have a chance to hit only a handful of targets before global protection is provided. At that point, all other users would be safe. This is the area where the agility of AV solutions is way ahead of contemporary vulnerability patching. We will argue that cloud-based security is blurring the line between reactive and proactive protection, rendering the term 'zero-day' meaningless.

We will present a mathematical model showing that the impact of vulnerability exploitations and malware attacks can be scientifically measured based on the timing and intensity of attacks and the availability of protection. We will show how the monetary costs of attacks can be accounted for within our model.

Finally, we shall discuss reloading the term 'zero-day malware' and the possibility of its covering new attack vectors (e.g. spreading through open shares), new targets (e.g. HLP or PIF files), and new platforms (e.g. PSP3 and iPhones).


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.