Zero-day virus/malware/exploit:relevant for common user or not?

many times i see ppl talking about importance & effectiveness of HIPS or behavior blocking in dealing with 0-day threats & sometimes consider them even more important than virus/malware protection based on signatures/engines.as i understand it a 0-day threat is only good for first time because after that it is in the open so to maximize returns the targets of such 0-day threats certainly can't be a general user.in today's time where many AV updates hourly does the hype about HIPS/behavior blocking dealing effectively with 0-day threats is worth it or not because in my opinion it isn't.

P.S.i am not arguing against HIPS/Behavior Blocking but just 0-day threats in general.

 

Most people are infected through user error (running a trojan themselves in some way), or through exploits that have long been patched (often years ago.)

It turns out malware authors are lazy, which is fair enough given that most users are also lazy. All those unpatched XP machines, with outdated versions of Java, Adobe Reader, and Flash... these are the PCs that are consistently infected by the various exploit kits. Java is the big one - not helped by the incompetent auto-update mechanism which I've always found has left multiple vulnerable versions of Java on infected machines.

I would like to think most people on these forums are immune to the most common sources of infection.

 

Malware authors aren't lazy... they're cost effective.

If 50% of users are running an out of data Java plugin you don't need to use a 0day on them.

0days are very valuable. You can sell particular 0days on the black market for hundreds of thousands of dollars. There's no reason to waste it on users when you can just as easily get the majority of them with old vulnerabilities.

The reason people worry about 0days is because it's were most Windows protection fails. Flash 0days used to be more common a year or two ago and Java 0days aren't uncommon now but you won't get 0day kernel exploits used on users very often because something like that can either be:
1) Sold for tons of money
2) Used to compromise way bigger targets

It's just a business - not stupidity or laziness.

User security is often just a matter of not being the slowest gazelle so to speak. Time is money and it's a lot easier and faster to go for the XP SP2 user who runs out of date software than the guy on Windows 7 running EMET and fully patched.

 

0-day or not, effectively they're still malware. Regardless of whether you're a common user, an expert, or one of the big targets; it's still up to the admin to evaluate the various options (HIPS, AV, etc) taking into account several factors such as (but not liimited to) computing environment (work purposes, home use, public use, etc), user skills/knowledge, main threatgates or threat exposure, computer horsepower, etc.

In short, they've to evaluate cost to benefit ratio and based on that, decide which route to take in dealing with the problem; be it HIPS or AV. Leave the 'hype' aside and decide based on what best suits the systems being managed

That's my opinion btw.

 

It was pretty clear that I was being tongue-in-cheek about laziness.

Actually, the real truth is that most malware authors aren't skilled enough to be coming up with zero-days themselves. They repackage old exploits developed or reported by others, and keep changing things just enough to keep fooling the detections of the major antivirus vendors.

Contrary to what Hungry Man says, Flash Exploits have been relatively uncommon for the average user for quite some time. Even in 2011 when two zero-day exploits were found in April (and quickly patched), they were mainly targeted at Korea (using specially crafted Microsoft Office documents sent via email) and consequently most of the detected infections were in Korea. They relied on social engineering to infect users ("please open our documents about the Fukushima Daiichi nuclear disaster") rather than occurring as a drive-by-download from a website. Basic security awareness - don't open unknown attachments from unknown users - would have been sufficient to prevent this infection.

The average user was far more likely to be infected by a fake Flash Update (trojan), than they were by an actual Flash Exploit. A good example of this was the 600,000+ Mac users who got infected by trojan Flashback - ironically made possible through a vulnerability in Java. I've seen examples of other fake Flash Update trojans as well, such as one designed to infect Windows users in South America.

Looking through the statistics of infections from exploit kits over the past few years - the most common and vulnerable target is:

1. Windows XP (not SP3)
2. Internet Explorer (versions 6-8 )
3. Java (out of date)
4. Adobe Reader (out of date)

Few exploit kits even bother targeting flash - the most common exploit kit, Blackhole, certainly doesn't last I checked. When they do, it's usually an old exploit like CVE-2010-2884 (e.g. TechnoXPack exploit kit.)

 

You make an excellent point. I have had customers call me in the last few months asking if our software was compatible with XP SP3. More recently I have received a lot of calls asking if we were compatible with Windows 7. It's tempting to ask "You're kidding, right?" as we are currently testing Windows 8 compatibility. And almost all of them have outdated Java plugins. Almost every single one of them. Most of us would never be a target when people like that are so easy to get.

 

I have been using ESET for last 1 year, HIPS is disabled, haven't had any infection !!
Still it is a good feature. But most of the time it is a pain in the ~ Snipped as per TOS ~ for average user, I remember when i installed EAM on my client's PC, and he was like " Get this ~ Snipped as per TOS ~ out my PC. showing popup for every single thing I run"!!!LOL

 

I think zero-days are not that big of a threat for common user. In all my years of fixing computers for family, friends.... I came across 0-day only once. It was Sasser, before MS patched the system. All other infections were result of bad judgement made by user (clicking on something they shouldn't, installing programs they didn't know...).

For common user most important thing security wise is education. Knowledgeable user with safe computing habits can hardly get infected. Add updating OS and apps to that and user is more or less safe. AVs, HIPS, sandboxes etc. are not that important when it comes to security of "common" user.