Anti-Spyware Pros Launch SocketShield Beta

A new company focused on protecting computer users and businesses against zero-day attacks before exploits hit users' hard drives launched a test version of its first product on Monday.

Exploit Prevention Labs introduced a beta edition of a security application dubbed SocketShield. The software intends to protect Internet users against the growing threat of zero-day exploits that take advantage of unpatched vulnerabilities in Windows operating systems and applications.

"It's simply impossible for application vendors to develop instant fixes for newly discovered exploits," said Roger Thompson, co-founder and CTO of Exploit Prevention Labs. "It takes weeks or months for application vendors to release a patch because it must be thoroughly tested to ensure it doesn't adversely affect the application or any other application that might be installed on the user's system."

Thompson and co-founder Bob Bales are former executives with PestPatrol, an antispyware company purchased two years ago by CA (NYSE: CA).

Protection in Limbo

According to the firm, the distribution mechanism used by so-called zero-day exploits is analogous to a spam distribution network: The originator of the exploit code sets up one server to distribute the code to a network of servers that in turn serve up the exploit code as a drive-by download under the guise of a seemingly innocuous Web page.

Many of these distributors are paid a commission for each download they deliver. In this way, millions of computers can be infected with the exploit in a very short period of time -- hence the "zero-day exploit" moniker.

Unlike traditional malware such as viruses or Trojans that are created by thrill-seeking programmers trying to create chaos, zero-day exploits are part of a growing category of malicious and frequently for-profit applications used by international criminal cyber-gangs. These for-profit exploits seek to take advantage of unpatched vulnerabilities as soon as they are announced.

Zero-day exploits usually involve so-called drive-by downloads of rootkits that assume remote command and control over the victim's computer to perpetrate crimes such as identity theft, extortion, fraud and espionage.

Closing the Risk Window

Microsoft (Nasdaq: MSFT) and other software vendors require an average of two months, and sometimes up to six months, to develop patches to fix newly discovered vulnerabilities. During this time period, known as "the risk window," Internet users are unprotected against exploits.

In December 2005, for example, the Windows Metafile (WMF) vulnerability was discovered and, within days, cyber-criminals such as the CoolWebSearch gang were distributing drive-by downloads to victims' computers. There even emerged an underground exchange where exploit authors were offering to sell their crimeware code to the highest bidders.

SocketShield is designed to prevent uninvited access to users' computers during the risk window before the permanent patch can be applied.

Picking Apart Conventional Security

Essentially the program monitors the browser's communications stream and stops known exploits from getting past the browser. Specifically, the SocketShield Correlation Engine aggregates intelligence gained through research, assembles it in real-time, and distributes it transparently to users within minutes.

Conventional security solutions are unable to prevent most drive-by downloads, zero-day attacks, and other exploits. Firewalls don't sound the alarm, because exploits infiltrate a system via the user's Web browser connection, the company said.

Antivirus and anti-spyware applications can't protect against exploits because they must wait for the code to hit the hard disk, and by that time most exploits have already executed their payload. Patch management systems can't distribute a patch until the application vendor releases it. Patching as a general practice, while critical, often fails, because it relies on users taking action of their own volition.

Internet Not a War Zone

There is no question that most existing systems today are vulnerable to drive-by downloads. However, to some, Exploit Prevention Labs' assertions make the entire Internet sound like a war zone, which it is not, said Jonathan Spira, CEO and chief analyst at Basex.

"SocketShield relies largely on reputation filtering and a knowledge of known exploit sites to monitor Web browsers and stop exploits via the TCP/IP stream," Spira told TechNewsWorld.

Techniques like reputation filtering are a good defense against attacks, he noted, but companies like IronPort have been using reputation filtering to stop spam for some time.

In defense of other software companies such as Symantec (Nasdaq: SYMC), Microsoft, CA and others, Spira asserted that these parties are by no means asleep at the wheel. "All security vendors are very well aware of the risk window and one can presume that they are not ignoring it," he said. Rather they are likely focusing on "building defenses into their own offerings."