Igor Muttik McAfee
The term 'zero-day' came from vulnerability research, but it is now widely used for malware, too. Wikipedia defines
'zero-day virus' as 'a previously unknown computer virus or other malware for which specific anti-virus software signatures
are not yet available'. Of course, this is just silly - nearly all contemporary malware is zero-day according to this
It is easy for any malware writer to obtain a security product and test that his or her creation is not going to be
detected. There are many underground web portals offering cross-scanning services - they even include email notifications
whenever detections are implemented by any of the AV products. Thus, only a very lazy or careless malware writer would not
be able to build a zero-day piece of malware. The fact that zero-day exploitation of vulnerabilities is now widely used to
deploy malware blurs the term even further.
Fortunately, streaming updates and cloud-based security protection redefine the zero-dayness for malware. Bad guys can no
longer predict the security reaction because, even though it may not be proactive, it can still essentially be
instantaneous. With a global security cloud, even a truly novel piece of malware may have a chance to hit only a handful
of targets before global protection is provided. At that point, all other users would be safe. This is the area where the
agility of AV solutions is way ahead of contemporary vulnerability patching. We will argue that cloud-based security is
blurring the line between reactive and proactive protection, rendering the term 'zero-day' meaningless.
We will present a mathematical model showing that the impact of vulnerability exploitations and malware attacks can be
scientifically measured based on the timing and intensity of attacks and the availability of protection. We will show how
the monetary costs of attacks can be accounted for within our model.
Finally, we shall discuss reloading the term 'zero-day malware' and the possibility of its covering new attack vectors
(e.g. spreading through open shares), new targets (e.g. HLP or PIF files), and new platforms (e.g. PSP3 and iPhones).