A Zero-Day threat (sometimes called a zero-hour threat) is malware that hasn’t been encountered before, and consequently doesn’t match the signatures of any known malware families. Zero-day threats typically attempt to exploit hardware, firmware, or software vulnerabilities (often called zero-day vulnerabilities). However, they may also be delivered via social engineering ploys like malspam or phishing campaigns, or may even utilize a combination of the two.
The uniqueness of a zero-day threat makes it near-impossible for more traditional signature analysis methods to detect them. A signature analysis method is only effective against known malware types which have previously been successful in infecting at least one (and very likely many more) systems. It’s only after a malware sample has been identified and analyzed that security researchers can distribute a malware family signature profile for antivirus software to recognize.
Making things more complicated, some sophisticated malware families also have built-in evasion techniques and some context-aware malware can detect sandbox artifacts, or even exploit weaknesses or gaps in sandbox technology, which are frequently employed in an effort to detect zero-day threats.
That said, recent agentless, hypervisor-based sandbox approaches mixed with intelligent monitoring methods have proven to be able to reliably circumvent these evasion techniques and detect zero day threats where traditional signature-based, static analysis, system emulation, and hooking-based methods have failed.
How a Zero Day works
Many malware authors rely on identifying previously unknown vulnerabilities in hardware, firmware, or software, and then write malware programs designed to exploit any vulnerabilities they discover.
While the vulnerabilities these malware authors aim to exploit may be unknown, the authors may still frequently rely on proven or conventional distribution methods to spread their creations. The most commonly used methods, for example, entail enclosing seemingly ordinary and benign attachments or URLs with the exploits embedded inside. Once these attachments or links are interacted with, the malware payload is dropped, and can then move on to exploiting the target vulnerability.
Once cybersecurity specialists have identified and patched a vulnerability, it’s no longer called a zero-day exploit. Unfortunately, such attacks may not be directly visible in the days following detonation or deployment, and it may take months or, even in some cases, years before organizations, developers, or network administrators discover (and patch) exploitable vulnerabilities.
While impossible to detect using traditional signature-based malware detection methods, zero-day threats can be relatively easy to spot using certain dynamic and interactive malware analysis methods and they can be safely removed before they have a chance to damage a target system or network. However, some of these methods can be more time-consuming and may rely on human intervention.
