Exploit Prevention Labs targets zero day exploits

* Exploit Prevention Labs' SocketShield

I recently had the opportunity to talk Bob Bales, CEO, and Roger Thompson, CTO of Atlanta-based Exploit Prevention Labs. I must admit - the call left me feeling a bit uneasy. I learned from them just how vulnerable our computers are to malware delivered through known exploits. It made me want to disconnect my PC from the Internet and never surf another Web page! That is, until I get my copy of Exploit Prevention Labs' SocketShield installed.

Though Exploit Prevention Labs is a relatively new company - not quite a year old - the management teams brings literally decades of experience with security and anti-virus and the like to the table. Members of this team are credited with founding PestPatrol, which was one of the largest independent anti-spyware companies before being bought by CA. Bales was one of the leading developers of the National Computer Security Association. In short, these guys know what they are talking about when they speak of the dangers that lurk on the Internet.

Their new company is focused entirely on real-time protection against exploits, crimeware, and other zero-day threats to prevent vulnerability-targeting malware from being installed on unpatched PCs. An exploit is a bit of code that's used to force another bit of code (usually with a malicious intent) to run. A well known example is last December's Windows Metafile Format flaw. Hackers found a way to deliver a malicious payload (code) onto PCs through corrupted Windows graphic files. Since there was no patch available for weeks, millions of PCs worldwide were vulnerable to attack during this time.

"The situation is getting worse because people are making money at it," says Thompson. He says it's no longer "script kiddies" writing code for the thrill of it. Now, organized crime rings use zero-day exploits to steal money from end users. Alex Shipps of MessageLabs estimates that 99.9% of malware is now used to commit crimes.

How are these criminals doing this? Here's a real-life example. Recently, a home theater message board on the Circuit City Web site was hacked by exploiting a bug in the Invision Power Services software that runs it. Visitors to this site were diverted to a server in Russia that attempted to install a backdoor on their PCs. It's unclear what payload, if any, was delivered. It could be a keystroke logger, or software that turns the PC into a spam-spewing zombie, or software that repeatedly sends pop-up ads to the PC. Regardless, the objective is to somehow make money from the illicit use of that PC.

An anti-virus or anti-spyware program might find the malicious code on an infected PC, but only after it has already been planted there. In the case of a rootkit plant, there might not be any way to eliminate the unwanted code short of nuking the PC completely and starting from scratch. Says Thompson, "In the case of rootkits, it's 'game over'."

Exploit Prevention Labs' software SocketShield stops the exploit before it reaches the end user's PC. How the company does this takes into account all those years of security experience - knowing what the exploits are, which exploits see the heaviest use, how they are marketed and traded by criminals, which domains are infected, how payload is delivered, etc. There's a lot of "blood, sweat and tears" that goes into the patent-pending technology from Exploit Prevention Labs.

"We have an intelligence network," says Thompson. "We know which exploits to worry about, and we do something about them. It's the old 80/20 game, or more like 95/5. 95% of the damage is done by 5% of the exploits."

SocketShield provides a driver that watches for the exploits on the TCP/IP stream coming into the computer. SocketShield shuts them out and protects the PC until it can be patched so the exploit can't be used against it.

Today, the software is primarily aimed at consumer users, but Bales and Thompson find that power users are taking it into the corporations for use. Thus, the company is moving up the roadmap to get its enterprise version to market sooner.

This "anti-exploit" software is not meant to replace anti-virus or anti-spyware software, but rather to complement it. "This is just another layer of protection that we advise users to have," says Thompson. Try it for free or buy it for less than 30 bucks - unless, of course, you want to disconnect your PC from the Internet and never surf another Web page again.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2006 IDG Communications, Inc.