Exploit Prevention Labs Ships Zero-Day Exploit Blocker

The signature-based monitor detects and blocks vulnerability exploits--not the worm, spyware, or Trojan payloads that traditional anti-virus and anti-spyware software seek out.
Exploit Prevention Labs shipped Monday the final version of its debut product -- SocketShield -- and said it was moving up the release of the enterprise version of its "malware Band-Aid."

SocketShield 1.0 debuted after about six weeks of beta testing which saw "in the low five figures" download the security application that protects users' PCs until they can apply vendor-made patches. The signature-based monitor detects and blocks vulnerability exploits, not the worm, spyware, or Trojan payloads that traditional anti-virus and anti-spyware software seek out.

The $29.95 program -- after the first year, annual subscriptions will run $20 said Roger Thompson, one of the company's co-founders and its chief technology officer -- can be downloaded from the Atlanta company's Web site. For a limited time, SocketShield is priced at $19.95.

"Zero day attacks are more dangerous today than they were in the past," said Thompson. "A handful of exploit servers, leveraging tens of thousands of connected sites each, can infect millions of visitors within hours of the release of a new zero-day exploit.

"We're often able to identify these new exploits before they're released, and then update our SocketShield users. The lightweight architecture of SocketShield allows us to distribute very small incremental updates to our users in near real-time." SocketShield's download is approximately 2.4MB.

The preview period led to numerous under-the-hood changes to the monitor, but also proved out the effectiveness of "Community Intelligence," an opt-in program where SocketShield users transmit information about blocked exploits to Exploit Prevention Labs.

"We had lots of people finding exploits from servers that weren't on our lists," said Thompson, referring to the updated blacklist of known exploit servers which SocketShield blocks.

Feedback also convinced the company to move up the release date for a corporate edition from the second quarter of 2007 to October 2006.

"Users' responses to it [SocketShield] told us we needed to move on the corporate version fast," said Thompson. "People in the enterprise just get the idea of this as a surgical 'Band-Aid.'"

The business SocketShield, which should appear in beta in the next few weeks, will include reporting functions, but no sophisticated deployment features, Thompson acknowledged.

"We'll have batchable deployment," he said, "so administrators won't have to install or uninstall SocketShield manually on each client. But [for anything more] we think companies want to use what they already have for automating software deployment."

In other news from the start-up, Thompson said that the SocketShield infrastructure -- including Community Intelligence as well as the company's network of human researchers and automated probes -- enabled him to come up with a Top 5 list of active exploits.

According to Thompson, May's most prevalent exploit was CVE-2005-2124, an exploit against a vulnerability in the Windows Metafile image format (which was patched in early January). It accounted for a third of all exploits detected.

"It's interesting that four months after Microsoft issued a patch, it's still the number one exploit being used by cyber criminals," said Thompson.

The other four include WebAttacker, accounting for 24.7 percent of in-the-wild exploits; CreateTextRange (CVE-2006-1359, at 20.7 percent); Iframers Launcher Script (18.4 percent); and IE Script Action Overload (3.1 percent).

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing