The very nature of “zero day” exploits is that your virus scanner would show that you were clean both before and after being infected.
It’s not until your anti-virus software provider updates their virus databases and you take that update that your scanner knows what to look for.
Yes, that means you may still be infected.
Let’s go through the timeline that got you here.
There are security vulnerabilities in Windows (and all operating systems) that have not yet been discovered.
If no one knows about them, then it’s not an immediate threat — hackers can’t exploit things they don’t know about.
Not infrequently, a “good guy” will discover a vulnerability, but keep it a secret so malware authors don’t find out about it and start to exploit it. Instead, the “good guy” contacts Microsoft and tells them about the issue, so a fix can be made available before the vulnerability becomes general knowledge.
Quite often, as a not-so-subtle form of encouragement to fix the problem, the reporter will indicate that he or she will make the details public within a certain amount of time. For example, Microsoft might be given 90 days to release a fix for the vulnerability.
That’s if one of the good guys finds it first.
If a malware author discovers the problem and releases malware that exploits it, then systems can become infected before anti-virus software providers can update their databases and release the update to their users.
If malware exploiting a specific vulnerability is discovered “in the wild” before a fix for that vulnerability is available, then Microsoft has zero days to fix the problem. Hence, it’s called a “zero day” exploit, vulnerability, or attack.
The zero-day timeline
Let’s look at the timeline a little more closely.
Vulnerability Introduced: 99 times out of 100, this is a simple programming error or oversight that could quite literally have happened years ago. The problem could have existed the entire time, but again, if no one knows about it, there’s no one to exploit it, so it remains benign.
Vulnerability Discovered by Hackers: once discovered, the race is on. Hackers try to keep the nature of the issue to themselves for as long as possible, so as to delay any fix.
This begins what I’m calling the Window of Complete Vulnerability: there’s a bug, there is malware that exploits it, anti-malware software does not yet detect it, and there is no fix for it. There’s little you can do.
Malware Exploiting Vulnerability Discovered: at some point, the existence of the problem becomes public knowledge, usually by finding and reverse engineering malware that exploits it.
Anti-malware Detection Updated: as new malware is discovered, anti-malware tool vendors add information to detect it to their databases. This is why it’s so critical you keep your anti-malware databases as up to date as possible. Without the latest updates, your scanners will not know how to detect the latest threats.
This begins what I call the period of Partial Vulnerability. Some of the malware making use of the exploit can now be detected and blocked by anti-malware tools. This is only partial safety: the vulnerability still exists, and there is no fix for it. New malware will be written making use of the same vulnerability, attempting to stay one step ahead of the anti-malware vendors.
Vulnerability Fixed: at some point, Microsoft releases a patch that fixes the problem. Systems updated to include the fix are now safe. Malware that attempts to exploit the vulnerability on those systems will fail. This is why it’s so important to make sure your operating system is updated regularly, in addition to keeping your anti-malware databases up to date.
Like I said, it’s a race. In the best cases, Microsoft has some time to release a patch to prevent a vulnerability from being exploited.
Unfortunately, it’s all too common that they have zero days to do so.
If you find yourself in the situation described by our questioner, I have some suggestions:
- Restore your computer to a backup image taken prior to the infection.
- If you don’t have a backup, try a system restore to a point prior to the infection. This isn’t guaranteed, but depending on the specific malware involved, it might help.
- Check with your anti-malware tool vendor immediately, or at least force an update of the database and perform a full anti-malware scan. Keep updating that database regularly — I recommend daily.
- If you can figure out what it was that caused the infection … well, don’t do that again.
It’s all about the race between anti-malware tools, hackers, and software vendors.
Occasionally, it’s we who lose.