Security tool aims to stop drive-by installs

[USMCRET6391]

By Joris Evers
Staff Writer, CNET News.com
Published: April 28, 2006, 4:07 PM PDT

Veterans of antispyware specialist PestPatrol have developed a new tool that throws up roadblocks for so-called drive-by installs of malicious code onto vulnerable PCs.

The tool, called SocketShield, monitors Internet traffic as it enters a PC and takes action based on a blacklist of known bad Web sites and vulnerability signatures, Roger Thompson, chief technology officer at Exploit Prevention Labs, said in an interview Friday. "Before you can open a poisoned page and get infected, we can stop it," he said.

Exploit Prevention Labs is a new company, founded by Thompson and Bob Bales, two former executives at PestPatrol, an early antispyware company that CA (formerly Computer Associates International) bought two years ago.

SocketShield is aimed at shielding Windows users against what's known as drive-by installs, the surreptitious installation of malicious software as people surf the Web. Cybercrooks often exploit security holes in Windows, Web browsers and other applications in order to drop spyware, adware, Trojan horses, bots and other software onto the computers of unwitting people. Recent examples include the Windows Meta File flaw and the CreateTextRange bug.

The new tool can provide protection in the time between the publication of a security flaw and the release of a patch by the maker of the flawed software, said Michael Cherry, an analyst at Directions on Microsoft.

"It will always take Microsoft and other software vendors time to patch vulnerabilities," he said. "Having the ability to protect systems while waiting for a patch from the software vendor or while waiting to get the patch distributed would be valuable."

The SocketShield client software is updated continuously with information on known bad Web sites and vulnerability signatures. The vulnerability signature approach is similar to antivirus software; SocketShield checks potentially malicious Web sites against a database of known security exploits.

SocketShield is designed to work alongside other security applications such as antivirus, antispyware and firewall software, Thompson said. "We are providing something they are not," he said. "We're another layer of protection and have done a huge amount of work to make sure we're compatible."

While SocketShield may look a lot like standard intrusion prevention software, it is not, Thompson said. Instead, it is task-focused security software, he said. "Intrusion prevention software tries to be all things to all people and detect things generically so you don't have to patch," he said. "I reckon that is wrong-headed."

A trial, or beta, version of SocketShield for Windows XP, Windows 2000 and Windows 2003 is available at no cost. Exploit Prevention Labs plans to launch a first official version of the tool in early June. That version will cost $29.95 per year. Volume discounts are available. The company also plans to license its technology to third parties.

If you'd like to try it, download it here