A type of attack that exploits a recently publicized vulnerability or security loophole, before program vendors or the security community are able to develop a patch for the vulnerability.
The period between the public announcement of a vulnerability and the first release of a patch fixing the vulnerability is also sometimes referred to as "zero hour" – even if the actual timespan is longer than an hour.
Dealing With Zero-Day attacks
A zero-day attack can be very destructive, as vulnerable systems generally have few defenses against it. Even after a patch becomes available (and the attack is no longer technically a 'zero-day' attack), it is often still effective as there may be a significant time lag before most companies or homes users actually install the patch on a vulnerable machine.
Due to the high chances of attackers targeting a publicly announced vulnerability, many security researchers will work quietly with vendors to create and release a patch for a vulnerability before releasing the news to the general public.
A computer system or server that is connected to the Internet and has been infected with specialized malware - a bot - that allows an attacker to use the machine's resources.
Technically, a bot is simply a program that performs repetitive tasks. A malicious bot however is one that an attacker introduces into a computer for nefarious purposes. Once the bot program has been installed on the victim machine, the infected computer itself may be referred to as a bot or zombie.
Malicious bots are typically spread in deceptive files over the Internet and over Instant Messaging (IM) networks. They may also be spread as part of a Trojan's payload. Some Trojans are also effectively bots themselves, as they perform essentially the same functions.
Zombies in Botnets
At one time, bots were typically used by attackers to attack single, or a small handful of target machines. Nowadays though, a bot-infected system is almost always harnessed into a botnet, or a collection of similarly infected machines.
The individual bot or zombie in a botnet is under the direct control of the botherder, an attacker or group of attackers who can issue commands to the entire botnet, or to an individual bot in the botnet. The instructions are often issued via a Command and Control (C&C) server, though more sophisticated botnets use a type of peer-to-peer structure to transmit instructions.
The collective resources of the botnet can be used to perform a variety of malicious actions, including:
- Launching DDoS attacks
- Sending out spam
- Storing illegal data
The unfortunate victim whose machine has been infected almost always has no idea what their computer is being surreptitiously used for.
As unpatched machines are highly susceptible to zero-day attacks, keeping up-to-date with the latest patches for any application installed is a strongly recommended security precaution.
A collection of malware held by an antivirus vendor or security research in a laboratory setting and used only for testing purposes.
The malware collection may also serve as an archive, as it will often contain programs that are no longer circulating outside the laboratory. It may or may not contain current malware.
As part of their product testing procedures, most antivirus vendors will measure the effectiveness of their security products in identifying and blocking both in-the-wild and zoo malware.
See also: WildList.
About Detection Names
A quick guide to Detections - why they are important, how they work and how to read them. Also includes Generic Detections and how they differ from traditional Detections.