Zero-Day Attacks Expected To IncreaseZero-Day Attacks Expected To Increase

Security experts say they witnessed a worst-case scenario two weeks ago when Internet servers fell victim to a previously unknown flaw in Windows 2000 servers running Microsoft's Internet Information Services 5.0 software.

"It's a zero-day attack," says Russ Cooper, editor of security E-mail list NTBugtraq and surgeon general of security firm TruSecure Corp. Zero-day attacks, or attacks against software vulnerabilities not yet known by software vendors, are very rare, Cooper says. TruSecure says it gathered intelligence that a server operated by the U.S. Army was attacked twice; the Army did not confirm the attacks by press time.

Separately, security firm Internet Security Systems Inc. saw a software exploit--an application used to make it easier for hackers to attack vulnerable systems--in the days prior to Microsoft's announcement of the vulnerability and patch last week. At press time, it was unclear how many servers were attacked or what damage was caused. Microsoft confirmed that it learned of the security flaw after being contacted by a customer on March 12. A Microsoft spokesperson says the company placed roughly 100 programmers who worked around the clock to be able to publish the patch by March 16.

The Code Red worm hit vulnerable systems running Microsoft's IIS software in the summer of 2001, 30 days after a patch was released. But experts say zero-day attacks will become more common. Dan Ingevaldson, team leader of Internet Security Systems' X-Force security research group, warns of a high probability that a worm aimed at Windows 2000 servers running IIS 5.0 will surface soon. "We have the exploit, and it works well," he says. "It can compromise remote systems easily."

This news comes as ICSA Labs, which tests and certifies security products, issued its Computer Virus Prevalence Survey 2002, based on 306 respondents. The survey reveals that while the number of companies suffering "disastrous" virus and worm attacks dropped last year, the cost of defending against successful disastrous virus attacks rose substantially. The average cost to recover from such a virus attack rose last year to $81,000, compared with $69,000 in 2001.

Larry Bridwell, antivirus programs manager for ICSA Labs, blames the increase in costs on worms such as Code Red and Slammer, which require significant cleanup and patch deployment after an infection. "This takes considerable IT resources," Bridwell says.

The good news, he says, is that companies are better defending themselves against mass-mailer viruses such as LoveLetter, which infected systems worldwide in 2000. "Large companies are using more antivirus software on their desktops, servers, and along their E-mail gateways," he says. More companies also are blocking potentially malicious file attachments.

That's not stopping virus writers from trying to infect unsuspecting users. Last week, the Ganda.A worm was unleashed. It exploits interest in the Iraq conflict by promising U.S. "spy pics" to trick users into opening the E-mail and infecting themselves.