Computer attacks that target undisclosed vulnerabilities are more common and last longer than many security researchers previously thought. The finding comes from a new study that tracked the number and duration of so-called zero-day exploits over three years.

The typical zero-day attack, by definition, exploits software flaws before they are publicly disclosed. It lasts on average 312 days, with some lasting as long as two and a half years, according to the study by researchers from antivirus provider Symantec. Of the 18 zero-day attacks the researchers found between 2008 and 2011, 11 of them previously went undetected. Recent revelations that the Stuxnet malware that sabotaged Iranian nuclear facilities relied on five zero days already underscored the threat posed by such attacks. But the researchers said their findings suggest the menace may be even greater.

"Zero-day attacks are difficult to prevent because they exploit unknown vulnerabilities, for which there are no patches and no anti-virus or intrusion-detection signatures," they wrote. "It seems that, as long as software will have bugs and the development of exploits for new vulnerabilities will be a profitable activity, we will be exposed to zero-day attacks. In fact, 60 percent of the zero-day vulnerabilities we identify in our study were not known before, which suggests that there are many more zero-day attacks than previously thought—perhaps more than twice as many."

Researchers Leyla Bilge and Tudor Dumitras conducted a systematic study that analyzed executable files collected from 11 million computers around the world from February 2008 to March 2012. Three of the zero-day exploits they found were disclosed in 2008, seven were disclosed in 2009, six were disclosed in 2010, and two were disclosed in 2011. (The binary reputation data the researchers relied on prevented them from identifying attacks in 2012.) An attack on many versions of Microsoft Windows, which appears to have gone undetected as a zero day until now, had the shortest duration: just 19 days. An exploit of a separate security bug in the Windows shell had the longest duration: 30 months.

Of the 18 attacks studied, 15 targeted 102 or fewer of the 11 millions hosts that were monitored. Eight of the exploits were directed at three or fewer hosts. The data confirms conventional wisdom that zero-day attacks are typically reserved for high-value targets. Of the remaining three attacks, one was exploited by Stuxnet and another was exploited by Conficker, the virulent worm discovered in 2008 that has infected millions of computers (and reportedly continues to do so). The Stuxnet and Conficker exploits targeted 1.5 million and 450,000 hosts respectively. The results, the researchers said, demonstrated the dividends returned by zero-day exploits, which can command prices as high as $250,000.

"For example, Conficker exploiting the vulnerability CVE-2008-4250 managed to infect approximately 370,000 machines without being detected over more than two months," they wrote. "This example illustrates the effectiveness of zero-day vulnerabilities for conducting stealth cyber attacks."

The researchers cautioned that their method of collecting executable files had significant limitations, causing it to miss 24 zero-day attacks tracked by Symantec's own Internet Security Threats Report over the time period studied. They attributed the undercount to several causes: Web-based attacks such as XSS (cross-site scripting) exploits; polymorphic malware, which generates different cryptographic hashes for the same exploit; and attacks embedded in PDF documents or other types of non-executable files.

Surprisingly, the number of attacks only grew once zero-day attacks became public knowledge—by margins of two- to 100,000-fold. The number of attack variants also rose, with 183 to 85,000 more variants detected each day. One possible cause of the surge in new files, the researchers said, is that the exploits may have been repackaged versions of the same attack.

"However, it is doubtful that repacking alone can account for an increase by up to five orders of magnitude," they wrote. "More likely, this increase is the result of the extensive re-use of field-proven exploits in other malware."