Latest Mydoom virus may signal dreaded 'zero day' attack

The latest version of the Mydoom virus suggests to security experts that a much-anticipated "zero day" attack may have already arrived.

"Zero day" refers to an exploit, either a worm or a virus, that arrives on the heels of, or even before, the public announcement of a vulnerability in a computer system. This week's version of Mydoom appeared only two days after a security flaw in Windows Internet Explorer was made public by two hackers, according to reports.

What's different about this version of the virus is that instead of attaching itself to an e-mail as an executable program, it appears instead as a Web link within the text of an e-mail message. Clicking on the link will direct a person's browser to another Web site that will exploit an IFrames vulnerability in Internet Explorer and thereby infect that person's machine.

"Up until today, every worm that came out had a fix and that fix was out there for some time," said Stuart McClure, president and chief technology officer of Foundstone Strategic Security in Mission Viejo, Calif.

McClure suggests that it will be only a short time before a worm or virus appears exploiting an unknown vulnerability with no mechanism to fix it. The time difference between when security vulnerabilities become known and exploits are created to take advantage of those flaws has been shrinking for some time. Two years ago, that time difference was somewhere between four and six weeks.

"For the first six months of this year, [that difference] was about 5.8 business days, and in this most recent case, it was just two days," said Alfred Huger, senior director of engineering at Symantec Corp. in Calgary, Alberta. "The problem is that it is extremely difficult for a vendor to put out a patch in that short of a time."