Since yet another Zero-day* vulnerability in Adobe Flash was announced yesterday it seems appropriate to explain how ThreatSTOP subscribers are protected against zero-day attacks on both client and server computers.

Typically a zero-day attack installs (or tries to install) some kind of malware on to the computer and then, once that malware has been installed, tries to either use the computer as a bot or searches for sensitive data to send to the attacker. In either case the malware has to "call home" to its originator via a C&C (command and control) server somewhere.

ThreatSTOP can protect against both the download and the "call home". We protect against the download because many of the servers used to host the malware are in our ThreatList and thus access to them gets blocked. Access to the server is blocked by IP address so it is immaterial if the attacker attempts to disguise the download by using a non-standard port, encryption or both. The blocked download attempt will also appear in the firewall log so IT staff can verify whether the computer was actually infected or not.

If that doesn't work - and it may not since sometime malware is directly injected during the attack - then our second line of defense is the "call home". There are not many currently active C&C servers and, while they change daily, the various honeypots that feed into the ThreatList keep us updated on which the current ones are. Our ThreatList, which is updated every 2 hours, contains the latest active C&C servers at the time. Hence compromised computers that try to call home to a C&C server in a threatSTOP protected network will find the call blocked. Furthermore the blocked attempt is logged so that IT staff can then check and remove the malware from the computer.

Adding a ThreatSTOP subscription to your firewalls is a cost-effective way of sharply reducing your vulnerability to zero-day attacks. We cannot of course guarantee to block all zero-day attacks but we will block most of them and we do so without stopping other tools such as deep packet inspection devices from also working.

*A zero-day vulnerability for those who don't know it is one where attackers exploit a bug is a pience of softwarethat was hitherto unknown to the software's developers and thus has no patch that can be applied to remedy it. (see Wikipedia for more)