Zero Tolerance on Day Zero

August 31, 2004

Blaster, MyDoom, Netsky, Sasser – all of these names have resonated not only in the IT press but also in the mainstream media. Malicious software – worms or viruses – is big news. What is more, they seem to keep coming ever more quickly and with increasingly alarming effects reported.

The British Coast Guard, Deutsche Post, Australian Railways and Goldman Sachs were all reportedly major victims of Sasser – bringing a number of major infrastructure networks down. MyDoom.O hit machines in late July and over a million of copies were circulating within a day of its first appearance. The Google search engine was amongst those brought down by it as it sought to use it to harvest more e-mail addresses.

Whilst the figures for the economic damage done by malicious code are essentially “guestimates” to be treated with great caution – there is little doubt these infections are both time-consuming and expensive to deal with. It is also certain that they are the most common type of security breach suffered by businesses. The UK‘s DTI Security Breaches Survey 2004 confirmed – “Anti-virus alone is not enough”. 93% of British businesses have anti-virus software – yet around half reported an infection last year. The US FBI/CSI Survey 2004 paints a similar picture – with 78% receiving an infected e-mail or file – slightly higher than the 72% reported in the UK.

Although nearly all businesses use anti-virus software, roughly ¾ can expect to receive malicious code in a given year – and roughly 2/3 of those will result in successful infection. There have already been even more widespread infections this year than there were last year so we have a pretty grim situation! Let us examine how this situation came about and what we can do about it.

What is Day Zero?

Day Zero is the day that a new malicious code appears on the Internet. The problem facing users and system administrators is that when a new threat appears they often have no defence other than trusting to luck. This cannot be right and would not be accepted in almost any other situation dealing with mission-critical systems.

Day Zero has existed since the first computer virus was written. However it used to be much less of a problem than it is today.

Not so long ago data was largely shared between PCs and closed networks by physical means – transported via floppy disks for example – so the speed with which viruses could spread was limited by the time it took to share a floppy. The anti-virus software industry developed to deal with such problems – identifying a new threat and writing a signature file to prevent infection. This would then be sent out to clients – perhaps in a weekly or monthly update. Whilst timing was to some extent important, by today’s standards the speed with which an infection could spread a snail’s pace. The Internet changed all that.

Like every information-based business, the legal profession has taken to the Internet – and it is now a mission critical business tool. However, along with interconnected computers comes an increased threat from malicious software. Just as legitimate software or data files can be shared instantaneously so too can malicious code. Added to that the increased power and complexity of operating systems and applications, in particular from the ubiquitous Microsoft, means that there are large targets with numerous vulnerabilities built in.

This all means that when a vulnerability in (say) Microsoft XP or Explorer is identified and a patch issued the announcement acts like a starting pistol for virus writers to create a successful worm to exploit the hole – and the time taken to generate the exploiting software is getting ever shorter.

This increased efficiency is probably partly due to a clear association between some virus writers and commercial e-mailers (ie spammers). Spammers use malicious code to create an army of compromised “zombie” machines to help them spread their invidious wares.

Many commercial systems remain, often with good reason, unpatched before the worm appears on Day Zero. Increasingly complex application software needs to be tested with the new patch before a roll out occurs as a clash between the patch and the software might do more harm than the potential vulnerability. Their administrators then have to trust to luck that the worm does not reach their network before their anti-virus vendor has updated their signature files and that has then been rolled out on their machines.

How Do Worms Spread?

The two most common ways used to spread malicious code are by mass mailing e-mail or by browsing or in some other way connecting with infected machines.

Mass mailing worms – such as Melissa and MyDoom – typically seek out e-mail addresses on a host and send themselves to the contacts found. They also “spoof” the senders e-mail address to try to conceal which machine is infected. A recipient might well know the apparent sender – and so unwittingly open the critical attachment thanks to the social engineering employed in using a real and known e-mail address. Recently MyDoom.O has used search engines to find additional potential recipients – a development that can only lead to ever more quickly spreading viruses.

The second approach – favoured by Sasser and Blaster – is to infect vulnerable machines that are simply attached to the web or that have browsed an infected Web site. This type of worm does not require the user interaction (such as opening a mail attachment) that the e-mail worms generally do and usually target a specific vulnerability identified in Microsoft’s operating systems. When successfully coded and deployed quickly enough after the vulnerability was identified, these worms spread with devastating speed.

Either way, worms rely on succeeding in spreading as quickly and as widely as possible. Organisations can do certain things to mitigate their risk of infection – patch often and quickly, constantly update their anti-virus software, deploy properly configured firewalls and gateway solutions. But the truth is that if they are unlucky they will get infected in any event!

“Anti-virus Alone is Not Enough”

In essence the anti-virus industry has not changed to meet this different type of problem. Whilst it is true that the speed of response has been reduced to hours rather than days or weeks, in the scheme of successful new threat this leaves their clients horribly exposed.

Anti-virus signatures are written to prevent a known threat. Since such technology is by its nature reactive, something that served it well in the days of slow vectors, this means there will always be a time lag before a fix is written. With worms spreading globally online in a few hours, particularly if they first hit when both the US and Europe are at work, this cannot be a security solution one can rely on – at least not without additional countermeasures.

Take the spread of the first MyDoom variant earlier this year. Within the first seven hours of the virus first appearing, e-mail security specialists MessageLabs had intercepted over 150,000 copies. That number would only be a fraction of the number of copies by then in circulation online. Similarly MessageLabs report receiving almost 600,000 copies of MyDoom.O on July 26 2004 – its Day Zero.

Yet seven hours is the average response time for anti-virus companies to write a fix for a new threat – never mind the time it takes to reach the users. It is no wonder that so many businesses were infected as they were relying on a false sense of security provided by anti-virus software.

Alternative Ways to Deal with the Problem

All is not doom and gloom however. There are software companies and service providers who offer alternative, or at least additional, solutions.

For the problem of e-mail worms, one needs a vast resource to identify and block any new threat as soon as it appears. Whilst doing so one could also seek a solution to the ever-increasing problem of spam. Operating such as solution in-house is simply not practical but there are service providers offering a managed solution where clients benefit from the economy of scale that make it possible. All your work e-mail is routed through the service provider and they intercept any malicious code.

The market leader in the legal market and beyond are MessageLabs (, who have an enviable reputation in terms of preventing viruses reaching clients and limiting the number of false positives suffered either with malware or spam. With around 8,500 clients worldwide and enough data centres to handle the volume of mail received, they are well placed to deal with the likely shake out of providers that is anticipated in this market in the next year to 18 months by a number of analysts. Another provider with high profile legal clients is BlackSpider (, again they are developing a competitive reputation although they are smaller and less well established than MessageLabs.

Yet an e-mail solution alone is not enough. It will help deal with the mass mailing worms but not with the Sassers of this world. For these we need to look at desktop/laptop security. Firewalls are vital – but they are not a compete solution as machines and media exposed to the outside world can easily defeat the perimeter approach by bringing the problem in with them. This is the so-called de-perimeterisation of networks.

What is needed is something on the desktop that proactively blocks malicious code, regardless of the vector it used to arrive on the machine.

Let me pose a question. What reason do you have to let your end users add program code to a machine? Or for allowing them to change the operating system? Bringing in and sending out data yes – but altering the machine’s configuration? It is difficult to imagine why they would legitimately want to do so in order to do fee-earning work.

So, unless you really want them to be able to do that, stop them. At the same time, you will prevent malicious code from being loaded onto the machine and block any attempt that it might make to alter critical files or programmes.

The easiest way to do this is to use a program like Reflex DisknetPro (, where the Program Security Guard component gives you this function. DisknetPro is a mature product that has been widely used in the MOD and other sensitive branches of Government for many years. The latest version is now much easier to administer and use in a commercial environment.

Both a managed e-mail service and a more secure desktop provide a low management overhead yet take you way beyond relying on the failed reactive approach currently adopted that just does not work when a new threat appears. Indeed, they will also reduce the pressure on you to ensure that your systems are patched and updated at all costs as soon as possible – putting you back in charge.


Dr John Meakin, Group Head of IT Security at Standard Chartered Bank, summed up the current position well when he said “We have anti-virus tools on the desktop and at the gateway, but they’re scanning for [viruses] they know about. There’s a window of risk if the [virus] code has not been seen before.” In other words – fingers crossed it is not me this time!

A combination of revised desktop security along with a managed e-mail service, together with your existing patching, firewalls and anti-virus software, will give you greatly enhanced levels of protection when the next Day Zero dawns. Then you really will enjoy Zero Tolerance on Day Zero.

Jim Davies is MDsof GPM Security Consultants.