New SocketShield Said To Stop Zero-Day Exploits

Startup Exploit Prevention Labs is offering free downloads of its beta zero-day exploit protection software, which is meant to serve as a "Band-Aid" until software flaws are patched.
A start-up security company on Friday unveiled a beta of zero-day exploit protection software that it claims will protect users' PCs until they can apply patches from the likes of Microsoft.

SocketShield, which can be downloaded free-of-charge from the Web site of Exploit Prevention Labs, is a signature-based monitor that detects and blocks vulnerability exploits, not the worm or virus or spyware or Trojan horse payloads that traditional anti-virus software sniffs out.

"We actually recognize and kill the exploits as they come in," said Roger Thompson, one of the company's co-founders and its chief technology officer. "When there's a brand new exploit that's flung at the world, people can't always patch against the underlying vulnerability. Sometimes there is no patch, sometimes you can't patch just because Microsoft wants you to."

It's not unusual, for instance, for bugs in Windows, Internet Explorer, or Firefox, among others, to be made public weeks, or sometimes months, before a fix is released. In late December 2006, a bug in how Windows handled Windows Metafile images was quickly exploited by thousands of malicious Web sites that silently installed adware and spyware. Microsoft rushed an "out-of-cycle" patch to users, but they were still vulnerable for over a week.

The software, which Thompson compared to a "Band-Aid" because it's meant only as a temporary stop-gap until software flaws are fixed, is complementary, not competitive with anti-virus and anti-spyware programs.

"Think of it as like an EMT [emergency medical technician]," said Thompson, who keeps a patient alive until a doctor's available.

SocketShield, which runs on all 32- and 64-bit editions of Windows, scans the incoming data stream of every application pulling bits from outside the PC, and examines the stream just after the data packets have been reassembled.

"Ninety-eight percent of the time, [criminals] are using the same exploit, all they change is the payload," said Thompson. So while an anti-virus company might have to create multiple signatures to detect each new payload, SocketShield needs only one signature to find them all.

Because the time that SocketShield's defense is most valuable can be relatively short -- the "window" between when a vulnerability goes public and a patch is provided by the vendor -- speed is of the essence, said Thompson. "We're going to be very rapid deployment, and we have both a human and machine intelligence network" set up. SocketShield, for instance, pings for updates every five minutes.

The software also uses a "blacklist" that blocks sites known to be spewing drive-by download exploits. The company runs what Thompson called "huntingpots," purposefully vulnerable systems that search for sites using exploits to spread spyware, adware, or other malicious software. The term is a play on the usual "honeypot."

"We know where some of the exploit servers are, and when we find new ones, we blacklist those servers to SocketShield."

During the month-long planned beta, users can run SocketShield for free, but once the test run is through, an annual subscription to the software service will cost $29.95.

Thompson and co-founder Bob Bales were formerly with PestPatrol, the anti-spyware company that was acquired by Computer Associates in 2004. Bales founded PestPatrol, while Thompson was its director of research.