The Thing About Zero Days Is…

Zero day malware is malware that hasn’t been seen before. Zero day exploits are exploits that haven’t been seen before. It’s pretty simple. The thing is the name kind of implies that it’s a “zero day” only until it’s discovered and after that it’s just some exploit in the wild, which will be patched.

The thing is there’s a significant amount of time between:

1) The time it’s infecting people and the time we realize it’s infecting people

2) The time we realize it’s infecting people and the time it takes to patch it

3) The time it takes to patch it and the time it takes to deploy the patch

4) The time it takes to deploy the patch and the time it takes for users to actually install it

 

You’re not looking at a very short time frame here. Number 1 is the shortest but 2, 3, and 4 can take a long time. Multiple days, weeks for some users. 

Some programs get around (4) with automatic updates but even if the user installs immediately they’re actually vulnerable for about half the year in terms of days where they can be exploited. When you consider that users are usually waiting at least a few days before installing the updates they’re vulnerable for pretty much the majority of the time.

I think it’s important to note that because people are often like “Oh, well who cares about 0days it’s usually users who aren’t patched who get infected” — well, most of us aren’t patched for most of the year.

Securing Windows

Windows is the most popular and most targeted operating system but a lot of the more common attacks on it are trivial to defeat. This guide will cover some  simple steps to secure Windows and keep your system safe.

Reducing Attack Surface

This should be the first step to securing literally any operating system. Code is attack surface, running code is valuable attack surface, internet facing code is a gold mine.

First thing’s first go ahead and run msconfig.exe. Disable startup applications you have that aren’t important like some toolbar service. Don’t disable applications looking to update.

You can also look in services.msc and disable what you don’t need. Personally, I don’t print from my computer, so right away I can disable the Printer Spooler service. This service has been involved in many infections and an exploit in it allowed for Stuxnet to propogate. There are other services like Computer Browser that you might want to disable. Don’t disable anything without understanding what it is, I suggest you check this wiki out for explanations:

http://www.blackviper.com/windows-services/

I don’t know who that guy is or why that site is the way it is… but the wiki is fine.

You should also uninstall any programs you don’t really run. Maybe you have Java installed but you don’t really know why – get rid of it. Java’s a massive hole on your system. Maybe you have 5 torrent clients for no real reasons, remove 4 of them. Just get rid of what’s on your computer if you don’t need it.

Run EMET

I’ve posted about EMET twice now with an explanation as to what EMET is and a guide to set it up. I highly suggest you follow that guide to the letter.

EMET is probably my favorite tool for Windows security. It’s not going to prevent every exploit ever but pretty much any automated exploit is dead in the water and even a targeted attack will be more difficult against a service running EMET.

If you follow my guide you’ll have many of the critical applications running EMET.

Stay Patched

Staying patched is the easiest way to stay secure. It’s a lot easier for bad guys to exploit known vulnerabilities than to come up with new ones. Even if you’re running EMET and you’ve reduced attack surface if your system is full of vulnerabilities that are well known to every skiddy and hacker out there you’re going to be an easy target.

Set Windows to automatically update.

Guide to set up automatic Windows updates here.

You should also check for browser and plugin updates frequently as these are very commonly exploited.

If you use EMET, uninstall and disable unnecessary software, and keep your system up to date you’re going to avoid most threats for Windows. This isn’t all you can do to secure Windows but if I’ll recommend the above three tips every single time. They’re pretty universal for securing Windows users.