A New Approach to Fighting Exploits

I just had a very interesting telephone briefing by Exploit Prevention Labs (XPL) on the release of their new product SocketShield. The purpose of SocketShield is to defend PCs against “exploits” which are ways of gaining control over a computer system.

These hacking mechanisms now involve all sorts of techniques including the well-known buffer overflow problem along with heap overflow, integer overflow, return-to-libc attack, format string attack, race condition, code injection, SQL injection, cross-site scripting and cross-site request forgery (see Wikipedia for a discussion of exploits). The difficulty in defending PCs against exploits is that the techniques currently used rely upon knowing about the exploit and patching the operating system against that specific attack or by detecting the results of an exploit. In either case, the solution is to repair damage that is already done. In theory this works but the practical issues of repairing the installation of a rootkit are enormous. Usually the only certain way to fix the problem may require scrubbing the computer clean and re-installing everything. To make the whole problem even worse these exploits are no longer being created and used by the “script-kiddies”. Professional hackers are now involved and making money by finding and selling what are called zero-day exploits – exploits that are found and used before the vulnerability is known – to profit-motivated gangs. Gangs using these zero-day exploits are unlikely to be detected and if they are unlikely to be found and prosecuted. The result is that executing successful exploits is a low risk and very high reward business. For example, on December 27, 2005, the CoolWebSearch gang launched the WMF zero-day exploit. Microsoft immediately acknowledged the vulnerability when an anonymous poster reported it on Bugtraq. On December 28, 2005, Microsoft suggested disabling the vulnerable DLL and on December 31, 2005, a worm that used the WMF vulnerability was launched. Still no Microsoft patch. On January 2, 2006, an unofficial (i.e. non Microsoft) third-party patch was issued with blessing of SANS and finally, on January 5, 2006, ten days after the Bugtraq announcement Microsoft issued an official patch. Now ten days may not seem a long time but when you’re talking about worms that can potentially propagate across tens of thousands of machines and hundreds of networks per hour that risks are not to be underestimated. Exploit Prevention Labs argues that current attempts to block exploits are not really up to the challenge of keeping our computers safe. They pointed out that vendor patches can take anything up to 6 months to appear, that third party patches create confusion in the market as well as potentially introduce new vulnerabilities, that anti-virus and anti-spyware engines detect risks only after exploits are successful, and that the focus is on deactivating payloads (that is the worm, virus, rootkit, or Trojan that gains access to via the exploit) after the are installed, not stopping exploits before they can do anything. XPL’s product, SocketShield, approaches the problem of dealing with exploit attacks in a different way: As the major focus of exploits is currently on HTTP traffic SocketShield monitors port 80 traffic and attempts to detect exploits in real-time and stop them before they reach the application – typically a browser. XPL has deployed a number of “honeypots” on the ‘Net to find and characterize new exploits as well identify the sites that try to implement them (these honeypots are both passive and active – the latter actually go out and simulate a browser and then look for anomalous responses). A list of new exploits along with new sites found to be using any exploits are updated on all SocketShield clients within about five minutes of their discovery. This ensures that exploits attempted from both known and unknown “bad” sites will be blocked. The current release of SocketShield will be followed in Q3 this year by an API that will allow third party integration. XPL also has plans for a whole range of services and product. SocketShield will be reviewed in a future Gearhead column.