The very nature of “zero day” exploits is that your virus scanner would show that you were clean both before and after being infected.
It’s not until your anti-virus software provider updates their virus databases and you take that update that your scanner knows what to look for.
Yes, that means you may still be infected.
Let’s go through the timeline that got you here.
Become a Patron of Ask Leo! and go ad-free!
What's a 'Zero-Day' Attack?
A zero-day attack is malware discovered “in the wild” that leverages a known but as yet unfixed vulnerability in software. Typically, anti-malware tools are unaware of the malware and/or the vulnerability. The term comes from having “zero days” to fix it before damage can occur.
There are undiscovered security vulnerabilities in Windows (and in all operating systems).
If no one knows about them, it’s not an immediate threat. Hackers can’t exploit what they don’t know.
Who discovers the vulnerability first is important.
Discovery by “the good guys”
When a good guy discovers a vulnerability, they often keep it a secret so malware authors can’t start to exploit it.
Instead, they contact Microsoft privately, informing them of the issue so a fix can be distributed before the vulnerability becomes general knowledge.
They sometimes indicate that details will be made public after a certain amount of time. This is intended as an incentive for Microsoft to resolve the issue. For example, they might give Microsoft 90 days to release a fix.
Discovery by “the bad guys”
If a malware author or hacker discovers the vulnerability, they also try to keep it secret so Microsoft doesn’t learn about and fix it. Instead, they release malware exploiting the vulnerability so they can infect systems before anyone knows.
If malware exploiting a vulnerability is discovered “in the wild” before a fix is available, then Microsoft has zero days to fix the problem. Hence, it’s called a “zero-day” exploit, vulnerability, or attack.
The vulnerability timeline
Let’s look at the timeline a little more closely.
Vulnerability Introduced. 99 times out of 100, this is a simple programming error or oversight that could have happened years ago. If no one knows about it, there’s no one to exploit it, so it remains benign.
Vulnerability Discovered by Hackers. Once discovered, the race is on. Hackers try to keep it to themselves for as long as possible so as to delay any fix.
This begins what I call the Window of Complete Vulnerability: there’s a vulnerability, there is malware exploiting it that anti-malware software cannot yet detect, and there is no fix. There’s little you can do.
Malware Exploiting Vulnerability Discovered. At some point, the existence of the problem becomes public knowledge, usually when someone finds and reverse-engineers the malware.
Anti-malware Detection Updated. As new malware is discovered, anti-malware tool vendors add information to their databases so the program can detect it. This is why it’s so critical to keep your anti-malware databases as up to date as possible. Without the latest updates, your scanners will not know how to detect the latest threats.
This begins what I call the period of Partial Vulnerability. The malware can now be detected and blocked by anti-malware tools. This is only partial safety, though, because the vulnerability in the operating system has not yet been fixed. New malware will be written making use of the same vulnerability, attempting to stay one step ahead of the anti-malware vendors.
Vulnerability Fixed. At some point, Microsoft releases a patch fixing the underlying problem and removing the vulnerability. Systems that take the update including the fix are now safe. Malware attempting to exploit the vulnerability on those systems will fail. This is why it’s important to make sure your operating system is updated regularly.
It’s a race. In the best case scenario, Microsoft has time to release a patch to prevent a vulnerability from being exploited.
Unfortunately, it’s common they have zero days to do so, because the vulnerability is already being maliciously exploited.
If you find yourself in this situation:
- Restore your computer to a backup image taken before the infection.
- If you don’t have a backup, try a system restore to a point prior to the infection. This isn’t guaranteed, but depending on the specific malware involved, it might help.
- Check with your anti-malware tool vendor immediately. Update the tool’s database and perform a full scan. Keep updating regularly; I recommend daily.
- If you can, figure out what you did to allow the infection, and if possible, don’t do it again.
- Take system updates regularly in the hopes that the vulnerability will be resolved quickly.
It’s all about the race between anti-malware tools, hackers, and software vendors.
Occasionally, it’s the users who lose.
If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,